<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f38708fdcb9573eb56af119bd624c339e2c8e1e1">f38708fd</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-09-01T12:38:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Contributors.txt: update
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ac6e4cb61c67601a03bcbb9164dc74933c030875">ac6e4cb6</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-09-01T12:39:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">VERSION: set 4.6 git snapshot
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/45bd31b436ffea298b12034e8a9b829569d19d2c">45bd31b4</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-09-05T12:07:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adds whoami DS plugin in case that plugin is missing
When first installation of IPA has been done when whoami
plugin was not enabled in DS by default and then IPA was
upgraded to newer versions, then after upgrade to IPA 4.5
WebUI stops working. This is caused by new requirement on
whoami DS plugin which is used to obtain information about
logged in entity.
This fix adds the whoami plugin during update in case that the plugin
is not enabled.
https://pagure.io/freeipa/issue/7126
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a077c705fe211716e967faf7a12ed738bc5261e9">a077c705</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-09-05T12:13:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa config-mod --ca-renewal-master
commit bddb90f38a3505a2768862d2f814c5e749a7dcde added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.
When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.
https://pagure.io/freeipa/issue/7120
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/755a50044cd2eefef3d365cc42c76a6ed4715afe">755a5004</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-09-07T06:08:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: remove unused parameter from get_whoami_command
The batch param is not used anywhere therefore we can remove it.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7ab63b84cb07c2a09a271b2bb598fcbf0d144f9">a7ab63b8</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-09-07T06:08:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix calling undefined method during reset passwords
When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cc5721db8145741fc09c295a226090d5cf6f5422">cc5721db</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-07T06:41:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Travis: archive logs of py3 jobs
If something fails, only the logs of python2 jobs are currently
collected. Collect python3 logs as well.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/75e9f3ac6f109bc4e6c1b5ba278fc5d0b1d9afb3">75e9f3ac</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T07:30:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: temporary workaround for Travis CI
Travis upgraded their environment but broke some deployments. Wait
for them to fix the issue with python3.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a765746e95579a3f37c9caab5c2506f86b6acc02">a765746e</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: fix not-context-manager false positives
threading.Lock() in ipa-replica-conncheck is an alias to
thread.allocate_lock() which creates a LockType object.
This object is an actual context manager but the alias
seems to confuse pylint a bit.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/806784dbd9e69a89c7a705c89bf42ba1fd4265c9">806784db</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: fix incorrect codec for pyasn BitString
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b57f87c9a020acad1ff9393c8f09a4c33713ccf1">b57f87c9</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: fix no-member in schema plugin
The `module.register` member is added just a few lines
before pylint warns there's none such thing.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/216d37b7f0c26b82ae90bde6beb187acdf754e22">216d37b7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dcerpc: refactor assess_dcerpc_exception
assess_dcerpc_exception was used in multiple places with a pre-step
which was rather common. Move this to one spot.
This also fixes pylint warning about unbalanced unpacking.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c616d733b6be9958c301027f5bf308c4c6ec366">3c616d73</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dcerpc: disable unbalanced-tuple-unpacking
Disable unbalanced-tuple-unpacking for RuntimeException thrown
by samba since this one should always contain two members.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f7fc3a3fc1bf25158206cd26d90aa392037fe17a">f7fc3a3f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">parameters: convert Decimal.precision to int
Explicitly convert Decimal.precision to int for unary `-` to make
sure int is passed to it.
Fixes pylint warning.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/353d4934afa0e4a83d2458cebeaf362c7ce567e9">353d4934</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Iterate through dictionaries
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/33f13b6df92374342d0066bdb9bfc23f1647a623">33f13b6d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudocmd: fix unsupported assignment
sudocmd.get_dn() was trying to assign in an item of a tuple
which is not possible.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f2701f3a0b535737f46bdb53732d7e4ea73ad167">f2701f3a</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: make unsupported-assignment-operation check local
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ae0bd124f5f13aea7b2f648e6ae7132b11910b2a">ae0bd124</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install.util: disable no-value-for-parameter
InnerClassMeta is rather magical and seems to work as-is. There's a
reason not to always send all parameters to the methods since they
really don't have to be able to handle all the parameters all the
time.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fab589d7f5bb378d97b470cef0550355d34ab7dc">fab589d7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: disable __hash__ for some classes
pylint requires all classes implementing __eq__ to also implement
__hash__. We disable hashing for the classes that miss the ability,
should they ever be required to use it, it can be implemented then.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/82d0279381d7f6c3e9a30554c8dfa4a9e5e0196c">82d02793</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">secrets: disable relative-imports for custodia
pylint is somehow confused about us importing custodia in
ipaserver.secrets.* modules, disable the check for these.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0ae2473be0835655a1433bff47228ddabe602177">0ae2473b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpcserver: don't call xmlserver.Command
xmlserver.Command does not have to be called so don't.
Fixes pylint: not-callable error.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c7f90159a3d5e000805603cd05d7395471af009f">c7f90159</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change the requirements for pylint in wheel
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/76c6ffe1250aa5dcacbef544724f765aae8f59ca">76c6ffe1</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change Travis CI container to FreeIPA-owned
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a30095b3a6e4917e4a70a7f9f89478236244d28d">a30095b3</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-08T13:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: remove "fast" from "makecache fast"
dnf makecache does not support the "fast" keyword in its
makecache subcommand in Fedora 26.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d88718cadc947a24e194d2c071d9565498614504">d88718ca</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-09-12T08:02:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: use f26 template for master
Switch PR CI testing of master branch to Fedora 26.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/05acd0965f94f818073f0acc002427f704c0d922">05acd096</a></strong>
<div>
<span>by Felipe Volpone</span>
<i>at 2017-09-12T13:46:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing how sssd.conf is updated when promoting a client to replica
When promoting a client to a replica we have to change sssd.conf,
deleting _srv_ part from 'ipa_server' property and setting
'ipa_server_mode' to true.
Previously, the wrong domain could be updated since the ipa_domain
variable was not being used properly.
https://pagure.io/freeipa/issue/7127
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f3097e570cb0dd7e192e5b36277c765e7bd096a2">f3097e57</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-09-12T13:52:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">issue_server_cert: avoid application of str to bytes
Part of: https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fcc2c5da9724a78f9ea11436a09684db935ea085">fcc2c5da</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-12T13:53:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pkinit: fix sorting dictionaries
Python 3 discovered this issue since dictionaries themselves don't
implement comparisons.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/16909a128b766f00dadff9e48a4bd4643134d32f">16909a12</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-12T13:59:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pkinit: don't fail when no pkinit servers found
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f13e663cac0d29518daa2eb6f1c4da759b90d2a">0f13e663</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-12T14:46:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldif: handle attribute names as strings
ldif.LDIFRecordList handles all attribute names as utf-8 strings
and all attribute values as bytes. If we take the attribute value
and try to search for it in the entry (= dictionary), if it contains
the attribute name as a key (which is a string), their hashes match.
However, even if hashes match, Python needs to make sure those two
are the same in case of a hash collision, so it tries to compare them.
This causes BytesWarning exception when running in strict mode
because `bytes` and `str` instances cannot be compared. KeyError
would be thrown in a non-strict mode.
Also, when later passing the attr to replace_value(), we need for it
to be `str` otherwise the modifications handler fails because it
tries to sort the attributes it's modifying but that's a bit less
poetic issue than the first one.
https://pagure.io/freeipa/issue/7129
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/be9da19de382162f60cdfc32f8b7d85c9c2bc0c8">be9da19d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-12T15:43:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">uninstall: remove deprecation warning
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/286bbb2ab77559f63d10c8c5c4923520cb7d3d0f">286bbb2a</a></strong>
<div>
<span>by Felipe Volpone</span>
<i>at 2017-09-12T16:00:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Changing idoverrideuser-* to treat objectClass case insensitively
This is import to avoid problems when migrating from olders
versions of IPA and using idoverrideuser-* commands.
https://pagure.io/freeipa/issue/7074
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c4505f080479068db41c1a6ed99945b973cb0134">c4505f08</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-13T08:38:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client: fix retrieving certs from HTTP
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/09f746f56823ec6120437ba625f0db9b5d704e3e">09f746f5</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-09-13T11:56:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-pki-retrieve-key: ensure we do not crash
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/473ddbdb66e563d93a30ac51b1ac559adbd18190">473ddbdb</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-09-13T14:53:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dsinstance: Restore context after changing dse.ldif
Fixes https://pagure.io/freeipa/issue/7150
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/436d2de456c14c869c9970fb53c2931c7c8e67c8">436d2de4</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-14T12:06:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap2: don't use decode() on str instance
This was causing issues when adding/removing a CA in the
CA plugin.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c8161fc40cf0ec38612bc346097d6a93972ba032">c8161fc4</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-14T12:06:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmap testing: fix wrong cert construction
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8be28145bf763ff8dfcf4d03cbd9b196d4482755">8be28145</a></strong>
<div>
<span>by Martin Basti</span>
<i>at 2017-09-14T12:06:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: set samba dependencies
Set proper python3 dependencies for samba package
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/537690ae44b5187721b518b7e304d2abe4fa619c">537690ae</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-14T12:06:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: run the same tests in python2/3
We missed running some tests in python3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/93be966dafab8cb50c94a5248f9db3826c26d95b">93be966d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-09-15T06:36:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Python3: Fix winsync replication agreement
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8661611d3e1d63a01fdc250610a87b3813e5125f">8661611d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-09-18T09:37:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">OTP import: support hash names with HMAC- prefix
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/623ec6c037e44e4f7bc487c9a9e2462a24b154f7">623ec6c0</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-18T09:41:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: fix missing module
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fa6181293a1bf3207c4da1494d9d6cf9d715377b">fa618129</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-09-18T09:44:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use TLS for the cert-find operation
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/62e72c2a53e7b92dfd4eb62cf0da9196d75f774a">62e72c2a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-09-19T06:54:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add exec to /var/lib/ipa/sysrestore for install status inquiries
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.
Relaxing permissions is is needed to run the tests as the jenkins user.
Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.
https://pagure.io/freeipa/issue/7157
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/87540fe1ef8a191e521ddf1584b4cbebb7dece94">87540fe1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-09-19T07:34:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-server-upgrade with server cert tracking
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e537686bcc8248bc0216ce634ae7707fa65e70ba">e537686b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-19T07:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.
https://pagure.io/freeipa/issue/7119
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/faaba4f1bd8b0cd1ec40b75e46b79ecdca5cff48">faaba4f1</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-09-19T09:26:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: bump python-pyasn1 to 0.3.2-2
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.
Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc47a4b85f289e8acfaf507d94f991570f04bd03">dc47a4b8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-09-19T15:33:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make sure upgrade also checks for IPv6 stack
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5acd4840903c7f290c1af7d6442e90bf4c0d19dd">5acd4840</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-09-20T10:58:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpc: don't decode cookie_string if it's None
This removes an ugly debug message from client installation
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bf0b74bec4dc8b75a71d9e8d1374755a81d8b1df">bf0b74be</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-09-21T08:24:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Checks if Dir Server is installed and running before IPA installation
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b0184d10aba3bd0302b4ef7bdcecb513ae00c54d">b0184d10</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2017-09-21T08:27:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1746ea3cb82554775a37fe43af062e8.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1746ea3cb82554775a37fe43af062e8 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/321f07de020dab24ca7e8692c3d3443492504da6">321f07de</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-09-22T05:52:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: update F26 template
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ee87b66bd3548709326cc61194c7ce2b7b575b2e">ee87b66b</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-09-22T09:57:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: fix pkcs7 file processing
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7902fc9a06392fc0130f3423481f01f5903694a1">7902fc9a</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-09-27T09:51:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c5afee964eee0cdf81a4f22fd78a6838a3da7537">c5afee96</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cli: simplify parsing of arbitrary types
Add the 'constructor' type to IPAOption to allow parsing arbitrary
types.
When using this type, supply the 'constructor' attribute with the
constructor of the type. The checker for the 'constructor' type
attempts to construct the data, returning if successful else raising
OptionValueError.
The 'knob' interface remains unchanged but now accepts arbitrary
constructors.
This feature subsumes the '_option_callback' mechanism, which has
been refactored away.
This feature also subsumes the "dn" type in IPAOption, but this
refactor is deferred.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1699cff3501519982d896bd5d5add233d12b0f00">1699cff3</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b4365e3a7fa2fb1d4e7ffc41f21c23e3d369ffd6">b4365e3a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc7c684b122cbcf1ff31c0ee45551388abb588fc">fc7c684b</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2207dc5c172710471f3c7c77242cb2ba1fcfa779">2207dc5c</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmonger: refactor 'resubmit_request' and 'modify'
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument. Perform a small refactor to
improve these functions.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/560ee3c0b512cbb8cdc4099a81204e745a515f7c">560ee3c0</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmonger: add support for MS V2 template
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.
This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/29f4ec865b2d0654e7e46c8a089a04f23ea9a00c">29f4ec86</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d43cf35cca4e7b84801bbbd5b1bb910d6a5e453a">d43cf35c</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for external CA profile specifiers
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49c0a7b4d4ec5ddef7f9648be72ccacb15c28840">49c0a7b4</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cacert-manage: handle alternative tracking request CA name
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure). `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".
To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/75a2eda85d7e9769f612733a6ade5719b1511c09">75a2eda8</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-04T08:09:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cacert-manage: avoid some duplicate string definitions
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f2b32759b91a3c4e5f7b2fbdb63c52298c63438d">f2b32759</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-10-04T08:18:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.
https://pagure.io/freeipa/issue/7155
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/418421d94182f03aa9af38f7ab9ed141828f1eb2">418421d9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-10-04T08:22:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Collect group membership without a size limit
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/af1b8513abc8e5be74e2886f9048c747235f1a14">af1b8513</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-06T07:19:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove the `message` attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3b5e97933432dc8a1685cb34a51aa7c14fc13625">3b5e9793</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-10-06T07:22:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests_py3: decode get_file_contents() result
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().
https://pagure.io/freeipa/issue/7131
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/209bb2771260589d2dba690aa3eab750069d6803">209bb277</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-10T08:05:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: make tests fail if pep8 does not pass
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a2a6cf381e564525f1a6b67ddaaa0133aae8d46b">a2a6cf38</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-10-11T11:06:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.
https://pagure.io/freeipa/issue/7124
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fe1aad767948f4636c2251b0cf7b6a25f9bf7145">fe1aad76</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2017-10-13T11:43:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: reinit trusted domain data for enterprise principals
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.
Resolves https://pagure.io/freeipa/issue/7172
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7a3da27816f62240cebbac72de5c98a96ace0794">7a3da278</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-10-13T14:47:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Less confusing message for PKINIT configuration during install
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53abf0105b3dd6d5e2b258375c03e6ecc23bc162">53abf010</a></strong>
<div>
<span>by David Kupka</span>
<i>at 2017-10-13T15:03:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Add LDAP URI to ldappasswd explicitly
Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.
https://fedorahosted.org/freeipa/ticket/6622
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/73b20975698d449229e5f7ac2eecff7da135822d">73b20975</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-10-17T08:22:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-upgrade: fix the logic for tracking certs
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d87163c29096e04553b0e1fcf7c1753e8a6cf716">d87163c2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-10-17T08:22:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-upgrade: do not add untracked certs to the request list
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7ab49dda6db52c0960f50f1744aa19dc70d3c62f">7ab49dda</a></strong>
<div>
<span>by David Kupka</span>
<i>at 2017-10-17T11:42:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">schema: Fix internal error in param-{find,show} with nonexistent object
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3822120077d5bd0f951560d3181654d1f28fca4e">38221200</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-10-17T11:42:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing param-{find,show} and output-{find,show} commands
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/acd72cc8f55f8824d8608309ee1979416aa0c04d">acd72cc8</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-10-17T12:59:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use 389-ds provided method for file limits tuning
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/48dc9bb9ba86c0708d9042852470f3b968231150">48dc9bb9</a></strong>
<div>
<span>by Alexander Koksharov</span>
<i>at 2017-10-17T13:59:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kra-install: better warning message
User would like to see CA installation command in KRA installation
warning message.
This makes warning message similar to other installer messages where it
does suggests a command to run.
https://pagure.io/freeipa/issue/6952
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9b8b7afeb406f042c8c6d46f84cbb04126ac5204">9b8b7afe</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-17T14:43:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.
https://pagure.io/freeipa/issue/7210
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dea059d158efe82ba71fe4e4669adb7caf45bc9f">dea059d1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-10-18T10:09:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c8dbd0cfbe583eead478a3fe073c1ca52b2bb7bd">c8dbd0cf</a></strong>
<div>
<span>by Abhijeet Kasurde</span>
<i>at 2017-10-18T10:13:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: correct usage of hostname in logger in tasks
This fix adds correct usage of host.hostname in logger.
Fixes: https://pagure.io/freeipa/issue/7190
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49cf5ec64b1b7a7437ca285430353473c215540e">49cf5ec6</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-10-18T10:34:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cacert-manage renew: switch from ext-signed CA to self-signed
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.
When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.
https://pagure.io/freeipa/issue/7173
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3a0410267f6f21678a827c051aecea6796c5ccd5">3a041026</a></strong>
<div>
<span>by Petr Čech</span>
<i>at 2017-10-18T15:01:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix on logs collection
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.
This situation is not optimal because we need to see what happend
during the debbuging the tests.
So, this patch solves this situation and it adds try--finally
construction.
https://pagure.io/freeipa/issue/7214
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a2dea5a56daaf04b1066b2b6ea8c503a8de10474">a2dea5a5</a></strong>
<div>
<span>by John Morris</span>
<i>at 2017-10-18T15:55:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase dbus client timeouts during CA install
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/051786ce372cc89e53fbab02086c2d1246580762">051786ce</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-10-19T14:48:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/620f9653ba736948d9ec9443728cd6c5c50576c8">620f9653</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-10-19T14:48:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.
This also changes semantics of force-sync by waiting until the end of
the initial replication.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fad88b358b6bd40b96ea7db11c2d7ed148225d06">fad88b35</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-10-20T08:55:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text
This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.
https://pagure.io/freeipa/issue/7185
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b29db07c3b3d8937f53684fdbba985fec525d69d">b29db07c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-10-20T10:27:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/be66eadb621426c2e39026e860fd06760df1972d">be66eadb</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-10-23T16:11:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing tox and pylint errors
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/be6f1a67cbf3e08ee0749dc1fe158f585e5546b7">be6f1a67</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-10-23T16:13:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: set default 389-ds log level to 0
During integration tests, the log level of 8192 (replication debugging)
was excessive and made reading 389-ds logs very hard without providing
any useful information.
Part of: https://pagure.io/freeipa/issue/7162
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8eb1bd37be10ef93ee5f4498d23b601e413b70c2">8eb1bd37</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-10-24T10:01:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: bump 389-ds-base to 1.3.7.6-1
To avoid insidious bug during server installation on Fedora 27,
the dependency of 389-ds-base is bumped.
https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3de30177f77d022137ead3b81e8b85823fe5ef3c">3de30177</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: fix ipa cert-request --database ...
Fix bytes vs str issues in ipa cert-request
https://pagure.io/freeipa/issue/7148
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/61dde27f70b9f8dd1b57ad1fbc3744f3c380613a">61dde27f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen_ffi: pass bytes where "char *" is required
In Python 3, "char *" corresponds to bytes rather than string.
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2b90c8a20e45ade9bfd27731cccc94a34cf3f61e">2b90c8a2</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c9d710a446d10aad72795e15bf041b87102628c1">c9d710a4</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: update docstring for py3
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/26d721e6eac1b44031fb1326bcadf4c033d6e627">26d721e6</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">parameters: relax type checks
The type checks in ipalib.parameters were too strict. An object
that inherits from a type should implement its public interface.
This should allow us checking for types of objects whose class
implementations are private to a module but they implement a certain
public interface (which is typical for e.g. python-cryptography).
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/61605d28d8f562c49cfd7ced883d8aaeec9c20ff">61605d28</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f350b5698aa84ffd0f3337e39b7c94de525f1d81">f350b569</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:44:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for CertificateSigningRequest
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0d7daf0495433e242f4d7e80e1f43f8486fbddab">0d7daf04</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:46:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove pkcs10 module contents
This removes pkcs10 module contents and adds a warning message
about its future removal.
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/03786ad9f3bd5edc351040847b8a49c9cd9288b2">03786ad9</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:46:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen_ffi: cast the DN value to unsigned char *
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.
https://pagure.io/freeipa/issue/7131
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6c88eb80974cdd7587619ade3fd832ba6e63f065">6c88eb80</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-25T07:59:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: pep8 changes to pycodestyle
Travis CI environment changes pep8 into pycodestyle, do the
transition on our side as well
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/23a0453c4d33271376b2156f2e2b484e8b9708c9">23a0453c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-10-25T16:30:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Checks if replica-s4u2proxy.ldif should be applied
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/28802b396fa1230024da87bfa3491fc97a972f2e">28802b39</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2017-10-25T16:34:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add debug option to ipa-replica-manage and remove references to api_env var.
https://pagure.io/freeipa/issue/7187
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/624b34ab2b16d6de58ffb1a5c18210ee0c24e57b">624b34ab</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-10-26T10:40:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap: limit the retro changelog to dns subtree
The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.
Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a93592a739465429e5e87de2154cf42ce010de88">a93592a7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-26T10:43:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PRCI: use a new template for py3 testing
The new template should allow to use python3 to run ipa-run-tests
since it provides the required dependencies for HTML test results
extraction and python3-paramiko.
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d39456a882efacbfefcc1f987ebf89ceeb761f61">d39456a8</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-26T10:43:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use python3 if built with python3
Change the default python version for test scripts
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/71a80264966070fb2e43c838e27875efca035a17">71a80264</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-10-26T10:43:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: pass raw entries to LDIFWriter
LDIFWriter.unparse() expects the scalar values of the attributes
of the entries to be bytes as it applies a byte regular expression
to check whether to base64-encode the values or not. Previously,
we were passing the scalar attribute values as strings which
was breaking the LDIFWriter.unparse() exectution.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9f8700fceead6e7b4947dc86f161e78dabb5d186">9f8700fc</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2017-10-26T10:46:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: support KDB DAL version 7.0
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68d2fa40bc4a7454b34be4a5392cac3829a37870">68d2fa40</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-10-26T10:48:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix TypeError while ipa-restore is restoring a backup
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7b149b3c7f7513fa21051ed26bc68704cb78e971">7b149b3c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-10-26T13:06:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-replica-conncheck when called with --principal
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).
In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.
The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.
Fixes:
https://pagure.io/freeipa/issue/7221
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aa5ad3e2d32b1e860f719777442f2724b3b1b018">aa5ad3e2</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-10-30T09:35:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add missing space in ipa-replica-conncheck error
Fixes: https://pagure.io/freeipa/issue/7224
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d65297311d91b067b63623d86968b88303b98fc9">d6529731</a></strong>
<div>
<span>by Rishabh Dave</span>
<i>at 2017-10-30T09:49:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-ca-install: mention REPLICA_FILE as optional in help
As man page already does it, update the help text to show REPLICA_FILE
as optional.
Fixes https://pagure.io/freeipa/issue/7223
Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c9265a7b0528b7f2495bf15e79cd9dd96af578aa">c9265a7b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-01T06:55:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4cc94512719be2addf3c90f7a4913709a4ed0f0d">4cc94512</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-01T06:55:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">x509: remove subject_base() function
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4fc903114d6f676eda95099044d4567e80f206ac">4fc90311</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-11-01T11:39:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove mention of firefox plugin after CA-less install
The plugin was removed some time ago.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/260db9dece9a4a86e47bf6dbb164c5c92928d073">260db9de</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-11-01T11:39:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove XPI and JAR MIME types from httpd config
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin. The
plugin was removed some time ago, so remove the media type
definitions.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ebd819355206dc644350bb6cfb767e8fd2f615c">1ebd8193</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-11-01T11:39:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CertDB: remove unused method issue_signing_cert
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3e338578271dc0f6a2eb5a5599247810406b7f22">3e338578</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-11-01T11:39:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/59802d37d17a33fc2417aa68dd10b3373e1800bd">59802d37</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-11-01T11:46:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a notice to restart ipa services after certs are installed
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d8b3e53ce182e96cbf514e05268fc30dcfb7f7bc">d8b3e53c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-11-03T14:10:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Py3: fix ipa-replica-conncheck
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.
Related to
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0033e0933924e856719cbbca5b5bc706eb9708c5">0033e093</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-06T13:05:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: add external_ca test
Add external_ca to the PR CI test suite.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1d190092d3c386d83bc54e5d0f7e369f81127354">1d190092</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-06T13:05:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: collect logs for external_ca test suite
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/16da7c612e486dacae55b20150fc69e388fb3f5b">16da7c61</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-11-06T15:22:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix log capture when running pytests_multihosts commands
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.
Previously, before commit 07229c8ff66669ba87b7d6599c3ec0d362ef2be4,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.
This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.
As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2] * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2] * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2] * Create and configure an instance of Directory Server
[[...].Host.master.cmd2] * Create and configure a Kerberos Key Distribution Center (KDC)
```
Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/59e136e8bad0612d132ddf8c38711a25fdf9b0c1">59e136e8</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-06T15:51:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_forced_client: decode get_file_contents() result
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5e4f76b043d9416f0e26912b8d17f968234c98c5">5e4f76b0</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-06T15:53:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: open CA cert in binary mode
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/02c1d0e8e52fdd8e5d4acd418a682fc4b191dceb">02c1d0e8</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-07T09:17:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_external_dns: add missing test cases
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c99b37737a43a5b101158cff82136a56f9f47af3">c99b3773</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-07T15:49:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add the sub operation for fqdn index config
This should improve performance of the host-find command.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5458bb506f70653846e2053fa0234cd63cc3f629">5458bb50</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-07T15:49:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add indexing to improve host-find performance
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a3009b392a305fc286e43d51a72044baa0c3fd9d">a3009b39</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-08T06:58:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">caless tests: make debug log of certificates sensible
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/983234c91bfe1f5a0cc6e1e35815da9f86da6136">983234c9</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-08T06:58:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">caless tests: decode cert bytes in debug log
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8b8437aa7342a79169913c886af4ac35f253aee2">8b8437aa</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-11-08T07:00:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-getkeytab man page: add more details about the -r option
The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.
Fixes:
https://pagure.io/freeipa/issue/7237
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9345142c2b9938af4fa0df251489474de9f6826a">9345142c</a></strong>
<div>
<span>by Thierry Bordaz</span>
<i>at 2017-11-08T07:06:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">389-ds-base crashed as part of ipa-server-intall in ipa-uuid
Bug Description:
When adding an entry, ipa-uuid plugin may generate a unique value
for some of its attribute.
If the generated attribute is part of the RDN, the target DN
is replaced on the fly and the previous one freed.
Unfortunately, previous DN may be later used instead of
the new one.
Fix Description:
Make sure to use only the current DN of the operation
https://bugzilla.redhat.com/show_bug.cgi?id=1496226
https://pagure.io/freeipa/issue/7227
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/16a952a0a44a0ebee97029ea1d2f6b7593dd2622">16a952a0</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2017-11-08T07:32:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't allow OTP or RADIUS in FIPS mode
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f4a208311aa6618336e1ba6ae277243c727ec1fc">f4a20831</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-11-08T14:40:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-restore (python2)
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/905ab93c958a539eb4af7d4b008a5aa02292ba12">905ab93c</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-11-09T10:32:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent installation with single label domains
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b84e8be5acf37d1778bfd91506859e6d04b7b83d">b84e8be5</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-11-09T11:05:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removing replica-s4u2proxy.ldif since it's not used anymore
Since commit 23a0453c4d33271376b2156f2e2b484e8b9708c9, the
replica-s4u2proxy.ldif file it's not used anymore.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/405da071d109ec683676d56fac3bccfc4606535e">405da071</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2017-11-09T11:24:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Warning the user when using a loopback IP as forwarder
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.
Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/222cef1a4d55f8d311d01a51bc3e01e1a64aa337">222cef1a</a></strong>
<div>
<span>by Abhijeet Kasurde</span>
<i>at 2017-11-10T07:05:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix interactive prompt in ca_less tests
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/32c64a78cef499c05e4ffa71d033692571297dca">32c64a78</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-11-10T09:09:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix cert-find for CA-less installations
Change eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3ca77456ee9de86ae70fb3fa287151d7d4e9b89a">3ca77456</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-10T12:18:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Py3: fix fetching of tar files
pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.
https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/db313da62cf426edbdc34a98f929fbda1fc5f0d0">db313da6</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-13T11:14:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">manpage: ipa-replica-conncheck - fix minor typo
Fixes minor typo "Defaults t" to "Defaults to".
https://pagure.io/freeipa/issue/7250
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c45a989506390a4bd159107566b6b2902ede5a30">c45a9895</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-13T12:49:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix circular import for collect_logs
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/28f7edaa08501fdb372ea2368b0c67aba509a55f">28f7edaa</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-11-13T15:57:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-restore: Set umask to 0022 while restoring
When some users are setting the umask to 0027 due to security
policies ipa-restore will result not working dirsrv.
So a fix is to temporary set umask to 0022 while ipa-restore is
running.
https://pagure.io/freeipa/issue/6844
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c84b0146b8ae12a836978df98d0f21142a7e7a4">3c84b014</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-13T16:43:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3 spec: use proper python2 package names
Package names for python2 were updated. Changed:
dbus-python -> python2-dbus
python -> python2
python-devel -> python2-devel
python-enum34 -> python2-enum34
python-jwcrypto -> python2-jwcrypto
python-kdcproxy -> python2-kdcproxy
python-netifaces -> python2-netifaces
python-netaddr -> python2-netaddr
python-pytest-multihost -> python2-pytest-multihost
python-pytest-sourceorder -> python2-pytest-sourceorder
python-setuptools -> python2-setuptools
python-six -> python2-six
python-sssdconfig -> python2-sssdconfig
samba-python -> python2-samba
Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e203e9f86e2abb49f6daafc76ad47dcb8a0022e3">e203e9f8</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-13T16:43:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3 spec: remove python2 dependencies from freeipa-server
When building the package with for python3, use only python3
dependencies. Changed:
python -> python2 / python3
python-gssapi -> python2-gssapi / python3-gssapi
python-ldap -> python-ldap / python3-pyldap
systemd-python -> python2-systemd / python3-systemd
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49c77d7781c7da6591851c3444bb4ed956656295">49c77d77</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-13T16:43:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3 spec: remove python2 dependencies from server-trust-ad
Use only python3 dependencies when building server-trust-ad for python3.
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8bbeedc93fd442cbbb9bb70e5f446011e95211db">8bbeedc9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-13T17:10:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/48d6302008df64026c8136778279f6495b822be3">48d63020</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-15T10:06:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove ignore_import_errors
ignore_import_errors was added in 9b534238 to build FreeIPA ACI/API with
some dependencies missing. It turns out that the import hook doesn't
play nice with other meta importers or Cython-generated code like lxml:
./makeaci: ipaserver/plugins/dogtag.py:246: ignoring ImportError: No module named lxml.re
Traceback (most recent call last):
File "./makeaci", line 134, in <module>
main(options)
File "./makeaci", line 107, in main
api.finalize()
File "ipalib/plugable.py", line 733, in finalize
self.__do_if_not_done('load_plugins')
File "ipalib/plugable.py", line 425, in __do_if_not_done
getattr(self, name)()
File "ipalib/plugable.py", line 614, in load_plugins
self.add_package(package)
File "ipalib/plugable.py", line 641, in add_package
module = importlib.import_module(name)
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "ipaserver/plugins/dogtag.py", line 246, in <module>
from lxml import etree
File "src/lxml/etree.pyx", line 93, in init lxml.etree
File "src/lxml/_elementpath.py", line 58, in init lxml._elementpath
AttributeError: 'FailedImport' object has no attribute 'compile'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f6adf4f3a86e4ed5e444c9e14bb98031a2f603a2">f6adf4f3</a></strong>
<div>
<span>by Abhijeet Kasurde</span>
<i>at 2017-11-15T10:14:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Trivial typo fix.
Fix adds correction to word 'enforce'
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a48f6511f6f463488452c320dc1370b0ac620646">a48f6511</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-15T13:17:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/495b85793c7cdaab58bf36d45d88e252612f150a">495b8579</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-15T15:23:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: fix TypeError on domain_level compare
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cedd52d7f96f9d9db74b1b45e0c2a9e12532fa5c">cedd52d7</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-15T15:23:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: fix http.p12 is not valid
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a09704088926988ceec73790f96302390711566">6a097040</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-16T07:48:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-custodia: use Dogtag's alias/pwdfile.txt
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.
pwdfile.txt is created by CAInstance.create_certstore_passwdfile()
Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/38b17e1c792312a7fa10bf13601ff2614ff039ad">38b17e1c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-16T07:49:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64a88d597cf2d65bc5f97a8fd399751acd5bebda">64a88d59</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-16T07:50:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Py3: Fix vault tests
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret
https://pagure.io/freeipa/issue/7033
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/007174492908db3e3e7f45f768df1cebb79738a6">00717449</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-16T11:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/443ecbc29e3342e9021f6f4ae72ce11d5b238ba6">443ecbc2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-11-16T14:43:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">adtrust: filter out subdomains when defining our topology to AD
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.
Fixes https://pagure.io/freeipa/issue/6666
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/caed210bc26c0220c9292c40b66177cda671a34f">caed210b</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-11-16T17:52:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">View plugin/command help in pager
ipa help code invokes pager if help lines length is more then
current terminal height.
https://pagure.io/freeipa/issue/7225
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/04da85625615bf080967defa846788a6e0e643f8">04da8562</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-11-16T17:54:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: make Domain Resolution Order writable
Objectclass which defines the Domain Resolution Order is added to
the object only after modification. Therefore before modification of
object the attributelevelrights does not contain the 'domainresolutionorder'
attribute and the WebUI evaluates field as not writable.
'w_if_no_aci' flag was designed to make writable those fields
for which we don't have attributelevelrights.
https://pagure.io/freeipa/issue/7169
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e640190ee1dbe0e5d4545229db958f348d93141">9e640190</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-20T16:01:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run tox tests for PyPI packages on Travis
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba037a3551feb835b4e0880c4ba19d68214a1b96">ba037a35</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-21T08:36:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">libotp: add libraries after objects
Add dependency on external libraries after dependency on internal
objects so the linker can correctly pick up all symbols.
https://pagure.io/freeipa/issue/7189
Original patch by Rob Crittenden
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e1bd827bbf56970ddd02ec174bf2317b64e75514">e1bd827b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-21T15:13:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html
https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e11bb3122d9c1a505c312636d6784513038436a1">e11bb312</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-21T15:56:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: start testing PRs on fedora 27
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/57787f647e0f98ffd75dc18b41201fd2601a9160">57787f64</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-22T08:51:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent installation of Py2 and Py3 mod_wsgi
FreeIPA is either compatible with Python 2 mod_wsgi or Python 3
mod_wsgi. mod_wsgi can not coexist in the same Apache process as
mod_wsgi_python3. When both mod_wsgi and python3-mod_wsgi are installed,
the first loaded module wins and the other one is never loaded.
Add conflict on the other module to prevent installation of both
modules.
https://pagure.io/freeipa/issue/7161
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d3a2a9be248a0b63f02a34ae889e6ec6dc75e2b0">d3a2a9be</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-22T14:19:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_vault: increase WAIT_AFTER_ARCHIVE
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.
https://pagure.io/freeipa/issue/7265
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a94ba732abe175f5b9061a63f9cd6f46dace2388">a94ba732</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-11-23T12:29:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-replica-install when key not protected by PIN
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.
The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
Fixes:
https://pagure.io/freeipa/issue/7274
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c468e32012904f522dd4860051b0a2ee80247a23">c468e320</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-23T17:31:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use Python 3 on Travis
Removes Travis workaround "group: deprecated-2017Q3"
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4af36de102cc6205f31e85107c4dc580327ab206">4af36de1</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-11-23T18:13:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: define testing topologies
Define usable topologies for upstream integration testing in PR CI.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/197b5ca639ab31bc5f079c45eb36763c442bf74c">197b5ca6</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2017-11-23T18:18:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipalib/frontend.py output_for_cli loops optimization
Trivial fix which removes unnecessary for loops.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/191605efd6b00233d3fd6d74212a9f4c78d5079c">191605ef</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-27T10:46:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reproducer for bug in structured dnsrecord_show
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f528a44865351130e427769841484a9003eeb459">f528a448</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-27T10:46:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix dict iteration bug in dnsrecord_show
In structured mode, dict size is modified by del record[attr].
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/19138c5ba3dd8fafcab766427cf025848d5d6016">19138c5b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-11-27T16:51:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ca less IPA install on fips mode
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.
The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.
Fixes:
https://pagure.io/freeipa/issue/7280
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cd80036b6b4fdfc843aac52126f01fdb1fc1067d">cd80036b</a></strong>
<div>
<span>by Petr Čech</span>
<i>at 2017-11-28T08:45:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Mark failing tests as failing
Some tests from installation suite fail.
The issues are:
* ipa-replica-install --setup-kra if first KRA in topology fails
https://pagure.io/freeipa/issue/7008
* Third KRA installation in topology fails
https://pagure.io/freeipa/issue/7220
This patch marks those tests as failing.
Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4069c129eab2389466c5c74f706a2114814a6e6d">4069c129</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-28T18:43:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add workaround for pytest 3.3.0 bug
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.
See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8ec4b8159e0e8eea2a40e38b5ba4ef22876344b2">8ec4b815</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-11-29T13:55:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: override krb5.conf when testing KDC code in cmocka
When testing KDC code in cmocka we rely on libkrb5 defaults.
libkrb5 would read /etc/krb5.conf by default and would load a KDB
module from there if it is defined for the test realm (EXAMPLE.COM).
Since EXAMPLE.COM is a common name used for test realms, make sure to
not using /etc/krb5.conf from the system. Instead, force KRB5_CONFIG to
/dev/null so that only libkrb5 compiled-in defaults are in use.
In such setup libkrb5 will attempt to load KDB driver db2 for our test
realm. db2 driver doesn't fail if its database is not available (unlike
FreeIPA's one), so it survives initialization.
As result, ipa-kdb-tests pass without unexpected breakage.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/868c7e7c91a5d3a918e089b322d7174869f455ea">868c7e7c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-11-29T13:55:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis-ci: collect logs from cmocka tests
When 'make check' is run, automake produces logs for each test to be ran.
Collect all the logs from the tests.
Also prepare the template to quickly enable use of gdb with traceback
in case a test is crashing. To use it, add LOG_COMPILE definition to
the 'make' line.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64f4c71dd64ea0f4483a2c0fe8f9fe311de695d9">64f4c71d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-11-29T13:55:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.
To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/78ad1cfe4f8f2f9c51acbe8044a652e49ebaf1d7">78ad1cfe</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-11-30T09:38:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f45d72af83f9ab43646f003f342dbcee41116a75">f45d72af</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-11-30T12:47:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update builddep command to install Python 3 and tox deps
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ec3d54d555d6d33bc03a01963efd4314e182242">1ec3d54d</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-11-30T14:51:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.
E.g.: unknown command 'b'ping''
https://pagure.io/freeipa/issue/7131
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/17bda0b1a532ff2ac8503187e2d6e648f63d427f">17bda0b1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-04T15:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use the CA chain file from the RPC context
The value can be passed in the create_connection() call but
wasn't used outside that call. It already defaults to
api.env.tls_ca_cert so the context.ca_certfile should be used
instead so the caller can override the cert chain on a
per-connection basis. This may be handy in the future when
there is IPA-to-IPA trust, or for IPA-to-IPA migration.
https://pagure.io/freeipa/issue/7145
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e8a26afb94e57ce08efad60ed9684bc58b9b1c58">e8a26afb</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-04T15:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test to ensure that properties are being set in rpcclient
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/01bfe2247e2297e9e0a55fb1baa0078525747c33">01bfe224</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-04T15:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">If the cafile is not present or readable then raise an exception
This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.
This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.
https://pagure.io/freeipa/issue/7145
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c1f275f9ebb7020bf9b966f86720c2788cffe64b">c1f275f9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-06T15:54:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/be09823fd553e1c35cfd90628cb28f5b0cf14e32">be09823f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-06T15:54:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Skip test_rpcclient_context in client tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c42c440de53e16b3a14878416227d34917b505ad">c42c440d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-07T12:02:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use correct version of Python in RPM scripts
Fixes: https://pagure.io/freeipa/issue/7299
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba411b0f6d0559078dc99e201abc068b64637ad6">ba411b0f</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-07T12:03:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag. This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts. There is still a possibility for this
kind of failure, but the delay minimises it.
FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.
Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/891cced446db0514bfe85c94c014ade32deb6cae">891cced4</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2017-12-07T13:00:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve help message for ipa trust-add --range-type
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1505922c2b8cac82395909df6ee18e203776528d">1505922c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-07T15:46:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSSDB: use preferred convert command
After further testing, Kai Engert proposed to use -N with -f -@ to
convert a NSSDB from DBM to SQL format.
https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql#Upgrade.2Fcompatibility_impact
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8700101d982bd3bbf08f32019567edd8f0952538">8700101d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-07T15:55:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove Custodia keys on uninstall
Keys are removed from disk and LDAP
https://pagure.io/freeipa/issue/7253
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3eb3844353418cf69c140d407973a9a2ff731d47">3eb38443</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-07T16:28:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object. Apply to correct type.
Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/956e265faee897221fb14e705121fec39712766c">956e265f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-12-07T19:18:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/plugins/trust.py; fix some indenting issues
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a57f61331459fc16769858b5043e869ea7f350fc">a57f6133</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-12-07T19:18:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">trust: detect and error out when non-AD trust with IPA domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c19eb499357e2d4c0868bcba097bc1af920180b4">c19eb499</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2017-12-07T19:18:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/plugins/trust.py: pep8 compliance
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/feee70d7bb90c05141ac15c058c2e26e2e0ab339">feee70d7</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2017-12-11T07:32:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
`cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
may arise due to incorrect uninstall of replica or ipa server-del is
not executed on master.
related bug : https://pagure.io/freeipa/issue/7174
Fixes: https://pagure.io/freeipa/issue/7276
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/93d53e5cd02addf3b654f0a728bfac4d610a524f">93d53e5c</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-11T07:35:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install). Refactor
ipa_certupdate.CertUpdate to make it easy to do that. In
particular, make it possible to use an already-initialised API
object.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8960141adbd527ad249cd237f78a8ea2f7452e4e">8960141a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-11T07:35:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present. This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.
Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/97942a7c7aac61d657832709e2dcc45a4cb4e4df">97942a7c</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-11T07:35:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).
Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.
Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/39fdc2d25063e9017baaa6ea1f79fc224b07f283">39fdc2d2</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-11T07:35:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.
This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/29d0f8673cf4c944db538244aea7b0dd103979bb">29d0f867</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-12-11T11:05:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_x509: test very long OID
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.
https://pagure.io/freeipa/issue/7300
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/34f73b4a94ce9622380228825aa15d5b12c1bb6f">34f73b4a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-11T11:06:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ec4620ecb2fac244f1e6e064d1c91b212a91e612">ec4620ec</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-11T14:32:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add python_requires to Python package metadata
freeIPA 4.6 and 4.7 requires Python 2.7 or >= 3.5.
https://pagure.io/freeipa/issue/7294
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b98f9b46de40e7b486cad32e5562595522d5e1ea">b98f9b46</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-11T19:40:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.
A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7fbbf6689e5083b14f457d37b2419733826ef2ce">7fbbf668</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-11T19:40:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.
Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.
Fast testing execute all unit tests that do not depend on ipalib.api.
In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d7aa7945e826f81f005c5a8a1303e1f738ffc1cf">d7aa7945</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-12T11:08:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.
This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.
The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.
Fixes: https://pagure.io/freeipa/issue/6968
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3756dbf964364c527454041d3501c1c96ed817a1">3756dbf9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T11:53:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix grammar in login screen
https://pagure.io/freeipa/issue/7263
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ae3160fdd78546f0859522f05677309e149a2715">ae3160fd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T11:53:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dca9f84961bdcde7ee062b2cb2fee9013814b568">dca9f849</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T11:53:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Address more 'to login'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b32a4aef8656319dd07e697871187693e6679b0d">b32a4aef</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T11:53:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">More log in verbs
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2546ef6eb0c6321da810f42d0311b7053be43d62">2546ef6e</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T13:13:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent set_directive from clobbering other keys
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1b04718b3c57eed2131db018b9d4e46c8d7f7345">1b04718b</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T13:13:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pep8: reduce line lengths in CAInstance.__enable_crl_publish
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c77f3a50d7a8d4b2f1e6fb7c95115a36a4ec6daa">c77f3a50</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T13:13:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">installutils: refactor set_directive
To separate concerns and make it easier to test set_directive,
extract function ``set_directive_lines`` to do the line-wise
search/replace, leaving ``set_directive`` to deal with the file
handling.
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f688b5d8a7ff340a4f358e99bfe219167832359e">f688b5d8</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T13:13:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for installutils.set_directive
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f4001e1c53a263aa6c7f62385ed394631345a34c">f4001e1c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T13:13:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add safe DirectiveSetter context manager
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.
The new DirectiveSetter context manager wraps everything under an easy
to use interface.
https://pagure.io/freeipa/issue/7312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4d9d95366385a48e9a963962b41e073fadb38604">4d9d9536</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-12T13:19:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend ui_driver to support geckodriver log_path
Geckodriver automatically logs into geckodriver.log file which
is placed in the same directory from which tests are run. In case
of running tests using ipa-run-tests the current working directory is
/usr/lib/python*/site-packages/ipatests where most of users cannot
write because of priviledges.
By adding "geckodriver_log_path" into test configuration we allow to
set path where user who run tests have priviledges to write.
Config file might be seen here:
https://www.freeipa.org/page/Web_UI_Integration_Tests#Running_tests
Fixes: https://pagure.io/freeipa/issue/7311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0e9ce73a52c953f7e798150c6e720c41594a99b0">0e9ce73a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T13:36:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add uniqueness constraint on CA ACL name
It is possible to add caacl entries with same "name" (cn). The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.
Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.
Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a8c84718d67704dcb0055e0d3bf4bdf2027b3ee">6a8c8471</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2017-12-12T15:07:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't use admin cert during KRA installation
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of: https://pagure.io/freeipa/issue/7287
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d7426ccbe74e2868836f29d4f016cbeb8524f273">d7426ccb</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-12T15:16:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
lines.
* Remove nose dependency
I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.
https://pagure.io/freeipa/issue/7301
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/929c77c784467d0b0a8d5a62d7d5bdd08610cad8">929c77c7</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-14T13:04:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Travis: Add workaround for missing IPv6 support
Latest Travis CI image lacks IPv6 address on localhost. Add some
diagnostics and skip IPv6 tests in ipa-server-install when TRAVIS is
detected.
The hack will be removed as soon as it is no longer required to pass
automated testing.
https://pagure.io/freeipa/issue/7323
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fbb188976637ac64e9661fec6cc51fa7215290a4">fbb18897</a></strong>
<div>
<span>by Alexander Koksharov</span>
<i>at 2017-12-14T15:41:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ensuring 389-ds plugins are enabled after install
To avoid problems caused by desabled plugins on 389-ds side
explicitly enable plugins required by IPA
https://pagure.io/freeipa/issue/7271
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68540856cfdc049771964112eb83369143441077">68540856</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update qunit.js to version 2.4.1
It provides more functions, bug fixes, but mainly better error handling
therefore it is easier to debug errors while tests are automatically
run.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8b25ac88e16a5481ede47823e16cad5d0018d4fd">8b25ac88</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update QUnit CSS file to 2.4.1
Update QUnit CSS to correspond with QUnit JS library
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c48ac2819b1d5c0ea0368510240ff3083cc70e3e">c48ac281</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Gruntfile and package.json to ui directory
Those files are used when running WebUI unit tests from command line.
- Gruntfile specifies grunt task which can run the webui tests.
- symlink to src/freeipa/package.json where are specified npm packages
which are required for running those test.
There is only symlink to not duplicite package.json file
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c50092c3b5542cb068ae54bb1311d07697a78c5c">c50092c3</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update jsl to not warn about module in Gruntfile
Gruntfile uses module keyword which is not known by our JSLint.
Adding it into known keywords fix the warning.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c47784dc9f19de68e810bf7ac627c1630d3e0184">c47784dc</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create symlink to qunit.js
Base path for all unit tests is install/ui/js. This path is also used
by PhantomJS when runnig unit tests from command line. PhantomJS then
tries to find qunit.js therefor symlink in install/ui/js is needed.
This might be automated in the future.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2dd774107579f6ac5505ce32e74da0250f9b3ced">2dd77410</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update tests
With newer QUnit the API has changed, therefor there are necesary changes
in tests. QUnit methods does not pollute global workspace they use global
QUnit object or assert object passed as argument to test method.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/905a0abfd6084eb2cf5473ac81ce9b165c68cb80">905a0abf</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update README about WebUI unit tests
Add information how to run tests from command line
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e89163d49143d7f9c989a5d7dea9f78632bf65a4">e89163d4</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Edit TravisCI conf files to run WebUI unit tests
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8aca1fe72a68591dda4d695f3d23dd7cae68364d">8aca1fe7</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update jsl.conf in tests subfolder
- to know QUnit, it is global object provided by QUnit.js library
- remove not-existing test navigation_tests.js
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f28c7e32efbb80b03455de93b21314b38d9dfae">0f28c7e3</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2017-12-14T17:57:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Include npm related files into Makefile and .gitignore
Extedned Makefile in install/ui
- $ make clean-local removes npm related files in the install/ui directory
Add node_modules and package-lock.json into .gitignore
Fixes: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1059a24d2ab0221e9b9c410962b94e6035f3c610">1059a24d</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2017-12-14T19:04:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: bump ci-master-f27 template to 1.0.2
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/10a847b682786690da3d38777a062dcebb4f1c35">10a847b6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-15T07:45:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make the path to CS.cfg a class variable
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7ae2dbc5ffa22d309d08ddb67b3e1ab24bc4cdc">a7ae2dbc</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2017-12-15T07:45:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable ephemeral KRA requests
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8cb756a2295d046c22a52fb7a51e7a8c17c7f116">8cb756a2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-18T10:51:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.
See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c9f0a4b1979a8a5076be0b434dc41a9f2a93317">1c9f0a4b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-19T12:26:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.
See https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b567f3afea99277d5545b39abc5e6dcd45d91683">b567f3af</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-19T12:28:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use pylint 1.7.5 with fix for bad python3 import
Closes: https://pagure.io/freeipa/issue/7315
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/23d729e0de6c0bc7447327b434b2458ea85a529d">23d729e0</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2017-12-19T13:03:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_help: test "help" command without cache
This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.
https://pagure.io/freeipa/issue/7325
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c59cf5728380cc247d8042e972a097765dcad36">3c59cf57</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-19T13:05:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require python-ldap 3.0.0b2
Use new LDAPBytesWarning to ignore python-ldap's bytes warnings. New
build is available in @freeipa/freeipa-master.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bfd4e3edd8d1b8cc9cfa685f761b93ee1c8b5f73">bfd4e3ed</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-20T08:55:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Custodia uninstall: Don't fail when LDAP is down
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9400a4058d70958360167acc0b27f7554a45f74f">9400a405</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2017-12-20T12:01:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Include ipa_krb5.h without util prefix
Fixes out-of-tree builds.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cf2d171d0c7ec4d3d212eef42007cea392265895">cf2d171d</a></strong>
<div>
<span>by Pavel Vomacka</span>
<i>at 2018-01-04T15:24:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: make keytab tables on service and host pages writable
There is no object class before adding the first item into tables,
therefore there are no ACI and WebUI is not able to figure out
whether table is writable or not. Adding flag 'w_if_no_aci'
tells "make it writable even if we have not ACIs and try to do
the API call.
https://pagure.io/freeipa/issue/7111
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/65c592334a9c928eab7d2ce27a8357a5e81956e0">65c59233</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-04T15:28:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_cert_plugin: check if SAN is added with default profile
https://pagure.io/freeipa/issue/7334
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/21b09522b5ff7a4a050f261dd2d42e3bdd222245">21b09522</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-01-04T15:34:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't manually generate default.conf in server, use IPAChangeConf
Related: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/79432cbdc6546f66b2a641c5ac67da309f9b8d82">79432cbd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-01-04T15:34:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Log contents of files created or modified by IPAChangeConf
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.
Fixes: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6f5042cd873a13cdae5ce41a6329a09dd7191da0">6f5042cd</a></strong>
<div>
<span>by François Cami</span>
<i>at 2018-01-04T15:36:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"
Fixes: https://pagure.io/freeipa/issue/7341
Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.
Fix suggested by Florence Blanc-Renaud.
Signed-off-by: François Cami <fcami@fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/93c158b05812b55383043e320cac89550993b8b2">93c158b0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-04T18:36:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-run-tests: replace chdir with plugin
The ipa-run-tests command used os.chdir() to change into the ipatests/
directory. The approach works for simple cases but breaks some pytest
features. For example it makes it impossible to selects tests by their
fully qualified test name.
Further more, coverage statistics break because path and module names
get messed up by chdir.
A name plugin takes care of adjusting paths relative to ipatests and to
add ipatests as base. It's now possible to run tests with qualified test
names, e.g.
ipa-run-tests ipatests/test_ipalib/test_base.py::test_ReadOnly::test_lock
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6fe3228fb2f62d30604d9bc5507ea2e6b1642d82">6fe3228f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-08T08:52:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make fastlint even faster
- Check pycodestyle before pylint. pycodestyle takes seconds while
pylint can easily take half a minute or more.
- Fix exit, needs two $
- Add some newlines to make output more readable
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cae2d99f89d940d2554a82f8ca1bbfeb1f46d336">cae2d99f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Silence unmatchable dollar
Silence false positive "unmatchable dollar in regular expression".
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ed4461f338e456837bb074602dd76e0f0bd5b10">1ed4461f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Use of exit() or quit()
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a4f36eec0ac741f0050ae15928f101932e8aff4a">a4f36eec</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Name unused variable in loop
For loop variable '_nothing' is not used in the loop body. The name
'unused' is used to indicate that a variable is unused.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d3f43a673771aa40365ac1b34dc21e4e22d4a7cb">d3f43a67</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Membership test with a non-container
Silence false positive by using isinstance(value, dict).
Also clean up and optimize most common cases.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/de616888d5718532dbb8e66ed3f6c698cdf1e79c">de616888</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Fix exception in permission_del
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc599e0797572810a836b84f138f520672f33e94">dc599e07</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Remove redundant assignment
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/73ee9ff40e7026ce264d0445db96fa16a33ed589">73ee9ff4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f60b2c590684c8ffc2c6ce2efa7a99f0193f42a1">f60b2c59</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5d02c6aaeb893bf382037d34dc67e6293365c702">5d02c6aa</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: Use explicit string concatenation
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/beb6d74b81eae9965ddc031db1a3826c01d59d30">beb6d74b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-09T06:53:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/830866d68a583c5d4ee679c63497a58b3fd31e25">830866d6</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-01-09T06:58:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Idviews: fix objectclass violation on idview-add
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a70dcb1e1846d6c46d4bdadc048e61911ce57311">a70dcb1e</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-01-09T07:02:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_backup_and_restore.py AssertionError fix
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f5c01c5e86336dd9746b56f511e64eaecf1ed656">f5c01c5e</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-01-09T07:03:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing test_testconfig with proper asserts
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.
Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict
https://pagure.io/freeipa/issue/7346
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dbb7784b90cef2f1e1cdb5e2bc96de7f46143a16">dbb7784b</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T08:36:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_renewal_master: add ipa csreplica-manage test
Add test case for setting renewal master using command
ipa-csreplica-manage.
Automation related to upstream ticket #7120. Testing using
config-mod already covered.
https://pagure.io/freeipa/issue/7321
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/434d7d423c21904cc630200d24f94218770c8802">434d7d42</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T08:37:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: test PKINIT install and anchor update
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.
https://pagure.io/freeipa/issue/7233
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0cef5107639beb00a65e02a7ae8e52612cfdb6f4">0cef5107</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T09:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/efe21a1bda22fcfc1ad786fadf781bdcf6eb3b21">efe21a1b</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T09:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_tasks: add sign_ca_and_transport() function
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ad996d79c639f92f57a20503b583ae68c77521e8">ad996d79</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T09:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.
Covers Pagure issue #7106
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3bdac1a84d363c876fc4b735fa75590fcb3ffead">3bdac1a8</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T09:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/099856e1845f8c8a4b15bd8174a6e0d948b1ec16">099856e1</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-09T09:17:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: run full external_ca test suite
Before this patch there was just one test in external_ca suite,
now we add one new test class thus deleting the specific class
in external_ca PRCI section.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc4109c1a459919474dfb9c01996571d7fd5eae4">dc4109c1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-10T08:39:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Sort external schema files
get_all_external_schema_files() now returns schema files sorted.
Fixes: https://pagure.io/freeipa/issue/7338
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0cab090f4d8a5ed0e4afd9fcc2a14efa442c9d46">0cab090f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-12T12:47:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-run-tests: make --ignore absolute, too
ipa-run-tests now applies the same logic to --ignore then to included
paths.
https://pagure.io/freeipa/issue/7355
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5c361f5450294e9d7b187112cbcb3b08bd037ae5">5c361f54</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-01-12T19:33:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Documenting kinit_lifetime in /etc/ipa/default.conf
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.
Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f0c0a14ec17670e41394856a648b89e57af5d78d">f0c0a14e</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-01-16T13:15:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a helpful comment to ca.py:install_check()
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cd83afcd4bc69f8ceb7fbff061e8b0a3272fe0f6">cd83afcd</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-01-16T15:36:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replica_prepare: Remove the correct NSS DB files
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
https://pagure.io/freeipa/issue/7049
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e55969f7e03a864fe59b21545577a2b12917ecbd">e55969f7</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-01-17T11:52:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: add SAN extension to other certs
Currently when testing we are using SAN extension only in
KDC, wildcard certs and not in the other certs.
During replica installation we then see a warning about certs
having no `subjectAltName`.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cd660d192231674d8e7d7bd85a8eec68eea29bc7">cd660d19</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-01-17T15:01:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing test_backup_and_restore assert to do not rely on the order
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.
Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c1f7c61762cf2086ed5e9d21115527615dc32a03">c1f7c617</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-23T09:06:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Lower python-ldap requirement for F27
For DNSSEC daemons on Python 3, python-ldap requirement was bumped to
python-ldap 3.0. But python-ldap 3.0 hasn't been released yet and is
only available as beta4 on rawhide. The DNSSEC fix hasn't landed either.
Lower requirements to python2-ldap 2.4.15 and python3-pyldap 2.4.35.1-2
until the DNSSEC fix has landed.
See https://pagure.io/freeipa/issue/7257
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc8c130b976d93167c51e0cdaa34682e3d46f2b8">fc8c130b</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-01-23T09:09:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Custom ca-subject logging
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem
After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.
Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7924dae6aed2ba1ba762464a21b5b4e7ac1c135b">7924dae6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-23T16:10:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pylint error in ipapython/dn.py
ipapython/dn.py:1324: [R1710(inconsistent-return-statements), DN.__contains__]
Either all return statements in a function should return an expression, or none of them should.)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e0c976ac32588647e2db79d9101b3b2eb2fff8f6">e0c976ac</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-23T20:02:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require dbus-python on F27
Partly revert b03d5155. python2-dbus is not available on F27. The
package only provides dbus-python:
$ dnf install python2-dbus dbus-python
Last metadata expiration check: 0:18:39 ago on 2018-01-23T18:59:22 CET.
No match for argument: python2-dbus
Package dbus-python-1.2.4-8.fc27.x86_64 is already installed, skipping.
Error: Unable to find a match
Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e1e3218270a008c2ebc0e74cbd54a8a218c3a80b">e1e32182</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-23T20:54:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Give ODS socket a bit of time
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently
A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.
Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c8ba9eb0e6082dd29c6d4ca121b6d6dc0cec8d11">c8ba9eb0</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-01-24T18:09:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing vault-add-member to be compatible with py3
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/86a78ca244fa4a3a5f65a19cd6e1534c29d37d00">86a78ca2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-01-29T10:19:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_integration: backup custodia conf and keys
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.
related ticket https://pagure.io/freeipa/issue/7247
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c059fbf5cd1adf9bcb403c3d27b0f9aa8577bac">1c059fbf</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-01-29T13:49:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unused PyOpenSSL from spec file
https://pagure.io/freeipa/issue/7381
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1235f5958dd61e6f99191e512953acdf8b577fff">1235f595</a></strong>
<div>
<span>by Alexander Koksharov</span>
<i>at 2018-01-31T11:35:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">preventing ldap principal to be deleted
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6c5a7464b26eaf5af890af3b0433bbb6e7bc5f3e">6c5a7464</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-01-31T15:03:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing translation problems
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9c208ea14db34dbadf5cdb1cdabf887105b7ae19">9c208ea1</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-01-31T15:13:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
related ticket: https://pagure.io/freeipa/issue/6894
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aaf2eaabee889245fcb6c6d5a8fad1bf0a261033">aaf2eaab</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-06T10:41:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move Requires: pythonX-sssdconfig into conditional
https://pagure.io/freeipa/issue/5638
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fa5394cc62be5e48265985fedd452a824d46f1b7">fa5394cc</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-02-06T10:42:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve warning message for malformed certificates
The 'CertificateInvalid' message is used for malformed certificates.
The user error messages says "Invalid certificate...", but in X.509
"validity" has a specific meaning that does not encompass
well-formedness. For clarify, change the user-visible message to
say "Malformed".
Part of: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/01c534c229d808d497f866c3c704701c8c57f894">01c534c2</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-02-06T10:42:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cert-request: avoid internal error when cert malformed
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f1f180985f27154efd900a95350d007d2dab6b7d">f1f18098</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-02-06T11:16:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.
related ticket: https://pagure.io/freeipa/issue/6611
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ad27076a53e15f7a06b68fd4879aabbf2d57770">1ad27076</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-02-06T11:16:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/156f912104fc57a14c32406d1cb74521f8abdcfe">156f9121</a></strong>
<div>
<span>by Alexander Koksharov</span>
<i>at 2018-02-06T11:25:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix replica_promotion-domlevel0 test failures
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
https://github.com/freeipa/freeipa/commit/f51869bf5214e2d2322f85bf72b7ae86b6893974
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7b7edd57cd8ec144ea3c23889f84cb26d7f89d61">7b7edd57</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-06T14:53:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IntegrationTests now collects logs from all test methods
logs_dict should not be cleared. It's filled once per class and it
should not be cleared after running the first test.
https://pagure.io/freeipa/issue/7310
https://pagure.io/freeipa/issue/7335
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6c81a2cb50a9857ae6508c1d0949b21d08f3850f">6c81a2cb</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-02-07T11:56:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise for smartcards updated
......
authconfig --enablesmartcard --smartcardmodule=sssd --updateall
Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall
Resolves: https://pagure.io/freeipa/issue/7358
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d945583cc77a723f7108c36555cdbe2b4da2d495">d945583c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-07T12:24:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make IntegrationTest fail if an error happened during uninstall
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.
It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.
https://pagure.io/freeipa/issue/7357
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84a10ee372d99bec82569ad2490f5f355f72e383">84a10ee3</a></strong>
<div>
<span>by Martin Basti</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: ipa-dnskeysyncd: fix bytes issues
LDAP client returns values as bytes, thus ipa-dnskeysyncd must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53f202bdcc0ec996d51d01bff450c1344e2c32d6">53f202bd</a></strong>
<div>
<span>by Martin Basti</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: bindmgr: fix iteration over bytes
In py3 iteration over bytes returns integers, in py2 interation over
bytes returns string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/005d85ff688ad97d0b785f3cc906c142eea4d7cd">005d85ff</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: bindmgr: fix bytes issues
LDAP client returns values as bytes, thus bindmgr must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/efded2264f79c740ac7dbe4aca24705e734c19b8">efded226</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3 dnssec: convert hexlify to str
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/575e513b15586b49f15428655c5d4aa6e6fc2867">575e513b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">More DNSSEC house keeping
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7670dcb8533e7c5b1a89f50af39d1128d344fb38">7670dcb8</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run DNSSEC under Python 3
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a54146bc0902e768a659e68394e454ba3993a0b">6a54146b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Decode ODS commands
ODS commands are ASCII strings, but socket.recv() returns bytes and
socket.send() expects bytes. Encode/decode values properly.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f39d855af446f5a98a16cbd8971d2f2463b019af">f39d855a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DNSSEC: Reformat lines to address PEP8 violations
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6f65abfd1156803c047a76ab6c839d1e83d3d3ad">6f65abfd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-07T16:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DNSSEC code cleanup
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e5a508a749364f6a8916676061185c62972ea4a9">e5a508a7</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-02-07T19:02:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_tests: test subca key replication
Test if key replication is not failing.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/387ae9fd0f0afeecffb41ff8ffd6835ae66ea8ff">387ae9fd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T07:12:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-upgrade now checks custodia server keys
The ipa-server-upgrade command now checks for presence of ipa-custodia's
config and server keys. In case any of the files is missing, it
re-creates both files.
Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does
not auto-detect broken or mismatching keys yet.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/df0e6696d8a2446965c8e1f4fe3f85c01f990ca9">df0e6696</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T07:24:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump SELinux policy for DNSSEC
selinux-policy-3.13.1-283.24 fixes an AVC with OpenDNSSEC ods-signer.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1537971
See: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ec228f411e480e03108f0e0fec0f706e159ca61c">ec228f41</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-02-08T07:52:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: use magic value to check if ipadb is used
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.
Resolves https://pagure.io/freeipa/issue/7261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7619fa41549d7206b04511fbabb4c39f648a486c">7619fa41</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T08:30:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump python-ldap version to fix syncrepl bug
python-ldap had a bug in syncrepl caused by incompatible changes in
pyasn1. The bug has been fixed in 2.4.25-9.
Fixes: https://pagure.io/freeipa/issue/7240
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2391c75e3d7efcdc5c2f49defa5138fc7e6def06">2391c75e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T08:32:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8821f7ae8e666b4ae42e232c672d616bf7fbffeb">8821f7ae</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-08T08:39:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b07937d0b80c8ccc714ea62fafcc7090bbaecc23">b07937d0</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-02-08T12:53:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update IPA CA issuer DN upon renewal
When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.
Fixes: https://pagure.io/freeipa/issue/7316
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/939db89cacdd9450400093be33af891d17545c10">939db89c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T13:45:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update existing 389-DS cn=RSA,cn=encryption config
389-DS >= 1.4.0 on Fedora 28 has a default entry for
cn=RSA,cn=encryption,cn=config. The installer now updates the entry in
case it already exists. This ensures that token and personality are
correct for freeIPA
Fixes: https://pagure.io/freeipa/issue/7393
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/40ac8158358e4ebe83208d41ff17164a58c8dc80">40ac8158</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-08T15:58:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Restart named-pkcs11 after KRA installation
KRA installer restarts 389-DS, which disrupts named-pkcs11
bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS
resolver.
Fixes: https://pagure.io/freeipa/issue/5813
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/73f61ce214e784ab8176a1f7acac6a3dbf1474ae">73f61ce2</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-02-08T17:46:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: update trust information in all workers
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.
But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.
During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.
To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).
An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.
Related to https://pagure.io/freeipa/issue/7351
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1785a3e17b9196ac661074ae66c4774d720358fb">1785a3e1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-09T07:28:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ece17cef17f1a84e92846ae288bee581533d753e">ece17cef</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-09T07:30:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check if replication agreement exist before enable/disable it
If the replication agreement does not exist, a custom exception is
raised explaining the problem.
https://pagure.io/freeipa/issue/7201
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4daac52ddd10917c2237c0e86e87fb7b870e4d95">4daac52d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-02-09T07:57:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaldap: allow GetEffectiveRights on individual operations
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b466172d685520e1bcf9a57d238112c97afcb7fc">b466172d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-02-09T07:57:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap2: fix implementation of can_add
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1adb3edea960d97f27fa9beb33efcb2495f18e23">1adb3ede</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-02-09T08:14:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e6c707b168067ebb3705c21efc377acd29b23fff">e6c707b1</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-02-09T08:14:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/93b7c40158313b9f0f125706265ea0ac07fb4c0e">93b7c401</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-02-09T08:44:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable and start oddjobd after ipa-restore if it's not running.
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.
This patch fixes it. Also added regression test.
https://pagure.io/freeipa/issue/7234
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7364c268ebc241c2fa456951f0790ee5d83a7b3a">7364c268</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-02-12T16:30:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa host-add --ip-address: properly handle NoNameservers
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/80585f5c563b3f3ea8e907656fd4c9baff2d5ec4">80585f5c</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-02-14T09:17:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.
When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)
This test check if files are owned by dirsrv and db2ldif doesn't
fails
related ticket: https://pagure.io/freeipa/issue/7010
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/86a6fdcc4316a26f40c9e0c0a92d21bec94ccd9c">86a6fdcc</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-02-14T13:26:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_backup_and_restore.py Fix logging
Use strings to log in restore_checker and backup functions.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8ffa33c24ecae7be41421669ff6114ae56e9a6e7">8ffa33c2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-15T08:41:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Generate same API.txt under Python 2 and 3
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a319a378d7913ea7af5ce360fc0a18ae9b889da0">a319a378</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-15T08:41:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run API and ACI under Python 2 and 3
Make it possible to run API, ACI, and potests under Python 3.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0ee3a267112dfafe12726fb185a4ce260c67aff7">0ee3a267</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-15T10:45:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix i18n test for Chinese translation
Python 3's regular expression default to full range of unicode
characters. Restrict \w matches to ASCII and drop \b suffix check to fix
a problem with validation the Chinese translation zh_CN.
Co-Authored-By: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0cc2a6cae01043f0aba32319ac8c6475780b6d7f">0cc2a6ca</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-15T13:02:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix multiple uninstallation of server
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.
Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8b6506a5f1176ad768bb0e513436009906b8ff63">8b6506a5</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-02-15T13:10:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">User must not be able to delete his last active otp token
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.
This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).
Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.
The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.
Fixes:
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c701cd21d31e6bdf5f1078cdfca49e410e093e28">c701cd21</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-02-15T13:10:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">389-ds OTP lasttoken plugin: Add unit test
Add a xmlrpc test checking that a user cannot delete his last
OTP token.
Related to
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1b0c55a3b362a8655d0ec6c55d30d6173fa88eee">1b0c55a3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-15T17:32:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Unified ldap_initialize() function
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.
Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f31797c70ac6d1fe4a651def1f87350bec16d194">f31797c7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-15T17:43:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a349629fbad8bcb0179c1a1f6babe76464be89d2">a349629f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-16T07:31:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-custodia-checker now uses python3 shebang
https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/83ed8d279210766d3d068a2a6daa0f8368c937e4">83ed8d27</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: fixing test_hbac
Adding more wait_for_request between navigation and small
code refactor.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dae5bac39bb2cbea1219b320d05d2171f5f86e63">dae5bac3</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: fixing test_group
Removing old data that is not needed anymore.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3fa4378bc4f8b1d01c3f9844d605c174d0aa815f">3fa4378b</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: fixing test_navigation
Removing old menu options, including idview and navigation on the
side bar
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c3f9b79eb42252b4540e26267e5aa229343f392">7c3f9b79</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: refactoring login method to be more readable
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49a17e98b0eb62636f4c4f0f43218a36fcea383d">49a17e98</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: changing how the login screen is detected
The "rcue-login-screen" element does not exist anymore. Changing the
code to use the ".login-pf" instead.
With the change, it's also necessary to check if the login screen is still
visible when trying to fill the fields of new password, otherwise a
StaleElementReferenceException exception will be raised.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/12da43c54fb927b48677fcca50f5110c5e659b1e">12da43c5</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: fixing test_range test case
As described in the commit [1] and ticket [2], it should not be possible to
change the range of a local IPA domain.
The basic_crud was changed to make it flexible to do not run the mod operation
if needed.
[1] 55feea500be1f4ae7bf02ef3c48377a6751ca71d
[2] https://pagure.io/freeipa/issue/4826
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a072fe9718a4273aea0363667c728e6861c3f3b7">a072fe97</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: Changing how the initial load process is done
Instead of always entering the address on the address bar and reloading the
application, now the code checks if that is necessary.
With the change, the logout process is done correctly and we do not keep any
AJAX call left behind. Which could cause the user not being logout properly and
breaking the tests.
More about the logout problem described in:
https://github.com/freeipa/freeipa/pull/1479
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/81fb7e5a321e2f4fa0e4112bea073c30dbe9d54e">81fb7e5a</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: fixing test_user.py::test_test_noprivate_posix
When filling the combo box (the gidnumber) in the dialog to create a new
user, the Add button was also clicked; closing the dialog. The wait
makes it to not click.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a5bd7bf7668092d9b329e640b656f23b8bf7bfe6">a5bd7bf7</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-02-16T08:57:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Tests: changing the ActionsChains.move_to_element to a new approach
The approach ActionChains.move_to_element no longer works as said here [1],
so, it's necessary to change it to the new one. This means, running a
javascript script to move the page to where the element is.
There are more details in the link [1], but in summary the w3c spec is
not obvious if a click should scroll the page to the element or not.
In one hand Chrome and Edge does that, but Firefox don't. As we use
Firefox to run the tests, we need the workaround.
[1] https://github.com/mozilla/geckodriver/issues/776
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/631d3152fe578916e6121a1e731505d502fcea84">631d3152</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-16T14:55:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa-server no longer supports i686 arch on F28
389-ds-base 1.4 is going to drop 32bit i686 arch support in Fedora 28,
https://bugzilla.redhat.com/show_bug.cgi?id=1530832 . Skip server
related packages (freeipa-server, python[23]-ipaserver,
freeipa-server-common, freeipa-server-dns, freeipa-server-trust-ad).
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1544386
Fixes: https://pagure.io/freeipa/issue/7400
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/364ffd5a0ff0848ec203f39397f00733a76d3350">364ffd5a</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-19T13:16:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix FileStore.backup_file() not to backup same file
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.
This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f316eb83ddbdf270411a97460a6e72f8cc66b5dd">f316eb83</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-19T13:21:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fastcheck: do not test context in pycodestyle
`git diff` shows also context lines by default. When passed to pycodestyle
it can produce errors unrelated to changed lines. It prevents running of
subsequent checks.
Limiting context to 0 lines by `git diff -U0` enables to test only the
modified lines and allows to run subsequent checks.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d647072642bdf01d0bfee31a7b5615b145583da5">d6470726</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-02-19T14:51:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.
This commit also adds integration test for non-regression.
https://pagure.io/freeipa/issue/7342
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/eaa5be3eecb6a54cc4ff6469057901258cf736da">eaa5be3e</a></strong>
<div>
<span>by John L</span>
<i>at 2018-02-19T19:52:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove special characters in host_add random OTP generation
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9c2c3df0abdd0545c746a996a8e4f42a5e0fa0f4">9c2c3df0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-20T12:03:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add better CalledProcessError and run() logging
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.
The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.
Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d7d13bc95043a85bd7621e364554df5989a7ce9d">d7d13bc9</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-20T14:17:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui:tests: move DNS test data to separate file
So that the data can be used in other test without running
the DNS tests.
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d73d49f3f69ed34cf8386422822a85a4707bf669">d73d49f3</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-20T14:17:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui:tests: realm domain add with DNS check
Try adding and deleting with "Check DNS" (in html 'ok' button)
DNS check expects that the added domain will have DNS record:
TXT _kerberos.$domain "$REALM"
When a new domain is added using dnszone-add it automatically adds
this TXT record and adds a realm domain. So in order to test without
external DNS we must get into state where realm domain is not added
(in order to add it) but DNS domain with the TXT record exists.
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6b214512b335998b424ef0c160b593b162b07c29">6b214512</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-20T14:17:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui:tests: close big notifications in realm domains tests
Realm domains commands produce big fat warnings about DNS state/checks.
Given the length of these warnings, they stay displayed for longer time.
As Web UI automated tests progresses quickly more of the warnings can
be displayed at the same time and thus taking a lot of space and thus
covering UI needed for next test step.
By closing the notifications before next action we make sure that test
won't fail because notification covered the required UI.
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/db2222fee4558004968900e8d1421abfb409f53a">db2222fe</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-20T14:17:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">temp commit to run the affected tests
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/90a75f0d4300126f18dabfb9ca4df59cab4d97cb">90a75f0d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-20T16:01:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.
For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aee0d2180c7119bef30ab7cafea81dc3df1170b7">aee0d218</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-20T16:01:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Upgrade named.conf to include crypto policy
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68caeb8b1921af5d2c872f24984865d471a7df3c">68caeb8b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-20T16:01:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add mocked test for named crypto policy update
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/805aea2443c902cd7c5525102701f116b43da575">805aea24</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.
Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.
Drop mod_nss-specific methods and functions.
There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.
TODO:
- backup and restore
- use user-provided PKCS#12 file for the certificate and key
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a0407f75f9b25c265008e907c7f97e2e4b0fa6e8">a0407f75</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove main function from the certmonger library
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5c64e28512be88f597cec0536576dbaba8b92878">5c64e285</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Convert ipa-pki-proxy.conf to use mod_ssl directives
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4596674481dbbeb9026f0ff793699479e1cfb09d">45966744</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable upgrades from a mod_nss-installed master to mod_ssl
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5531c9f26b1910ec9f852d5ae0da7ddf078ec8fc">5531c9f2</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't backup nss.conf on upgrade with the switch to mod_ssl
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.
We already have a backup of nss.conf from pre-install. Stick with
that.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4d2c7a4a75a35d19a1ce069b45d3ac2d5ad80376">4d2c7a4a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add value in set_directive after a commented-out version
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fa135e6ef123c1ec48463d3389d01363395e2d8e">fa135e6e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update smart_card_auth advise script for mod_ssl
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7dc923cc4c2ec7c01156589f8314c78439dbc857">7dc923cc</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">mod_ssl migration: fix upload_cacrt.py plugin
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/205675239a7ecd66ae77b01e90158b5a559b840e">20567523</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance: handle supplied PKCS#12 files in installation
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8789afa18af968032e3f2159a48a6493f6755f47">8789afa1</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">x509: Remove unused argument of load_certificate_from_file()
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/60aa2c3b38e1f95c465821484f86657fa696e02b">60aa2c3b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">x509: Fix docstring of write_certificate()
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c85bf376f06cda17305a8723755f3635a3da275a">c85bf376</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certupdate: don't update HTTPD NSS db
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9a7c3159841c10e353861519a1b25bd9b0ef773d">9a7c3159</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make ipa-server-certinstall store HTTPD cert in a file
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/92d91ed58be62e50aadeac5396602429a02f711e">92d91ed5</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0c388d1e8f9bdadf83c20ee4186470f0eee593a9">0c388d1e</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">service: rename import_ca_certs_* to export_*
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dde62ff883dbd6f13763f789521d37fca125ea6d">dde62ff8</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance: backup mod_nss conf instead of just removing it
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8ea04ab3e3eef431d529c0d99e9d1ea5a65933e1">8ea04ab3</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance: verify priv key belongs to certificate
Verify the certificate issued during an installation belongs
to its private key.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ee49947b6c258a7cff6fa126f06905f297a3e07b">ee49947b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance: fix publishing of CA cert
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ca68ea7300daa125eb2fec9aa2de2122b3fd95e">1ca68ea7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance fixup: remove commented-out lines
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b21941360cdfbcce9fc891befc160103b4678eec">b2194136</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/75845733f86df5ddeba81d8ce5312be0eb511262">75845733</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-02-21T06:57:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Backup ssl.conf when migrating from mod_nss
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/efaa48e455d12d374cb1492163289dbb73dabf39">efaa48e4</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-21T08:50:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "temp commit to run the affected tests"
This reverts commit db2222fee4558004968900e8d1421abfb409f53a.
Temp commit was acked by accident. It should have been removed after
ack of approach of PR 1596. But the PR should not have been ACKed.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f7b23424263c52e895bbbad3d6b62b133a607171">f7b23424</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-02-22T19:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
"Include enabled" and "Include disabled" checkboxes on "Rules" tab
of HBAC Test Web UI page don't have any descriptions. It is not
clear what they do from only the labels.
This patch adds tooltips with metadata doc text of respected API
options. I.e. in practice it adds the same as CLI help when user
hovers over the checkbox label.
--enabled Include all enabled IPA rules into test [default]
--disabled Include all disabled IPA rules into test
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d8d5ad8d9a4c1fedce4ed4c6bcd1f5861ade982">2d8d5ad8</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T08:29:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove deprecated -p option from ipa-dns-install
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.
See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/88fd3f9435b2b26df5effc18ea9a89dfa2a64624">88fd3f94</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c5fb6c85020384e5bb58c4df6d99e383f556f446">c5fb6c85</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/492e3c9b1e28a1789d6b306ec41f580c0501fae5">492e3c9b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/66a32d89310bee83df8e6ca30a134982ac78e81e">66a32d89</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a8555d42a438578a1d08bd8724bc95391164638c">a8555d42</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update /etc/ipa/nssdb in client scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/df99af4a68ada8a57f545013a4b884399c10f186">df99af4a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T10:04:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unused modutils wrappers from NSS/CertDB
The disable system trust feature is no longer used.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0aaee0a97f5e26903474da10538e464a9f32dba7">0aaee0a9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-02-23T13:22:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't return None on mismatched interactive passwords
This will cause the command to continue with no password set
at all which is not what we want.
We want to loop forever until the passwords match or the
user gives up and types ^D or ^C.
https://pagure.io/freeipa/issue/7383
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d749723a144fbd0d810de5d1f61a5a85e998facf">d749723a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T13:38:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Silence GCC warning in ipa-kdb
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.
ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/642712f9c48b80693510543baedab6625aebcb06">642712f9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-23T13:38:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Silence GCC warning in ipa_extdom
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.
ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4295df17a42897f6f59be21c25c5dd03984e35d3">4295df17</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-02-23T13:39:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa host-add: do not raise exception when reverse record not added
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cfe4150b223355fc31d11955439f1704d9a9b416">cfe4150b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-02-26T09:03:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move DNS related files to server-dns package
The freeipa-server package was shipping files that are only used by
freeipa-server-dns.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2a50a7daf057860818f1595fe8156de52e9b6b9e">2a50a7da</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-02-26T09:11:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: ca-less to ca-full - remove certupdate
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.
This patch removes the above mentioned commands in order to
properly test the scenario.
https://pagure.io/freeipa/issue/7309
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e6ca3b0c737b6d2e7449a7a3a477d379e8274240">e6ca3b0c</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-03-06T09:11:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removing extra spaces present in man ipa-server-install
There are extras space present in man page. PR removes
identified extra spaces.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c9c41d2d9077202f68c16db53f532da1b7055c10">c9c41d2d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-06T12:00:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.
https://pagure.io/freeipa/issue/7430
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/95a45a2b0942a9ac38d5418b23821f7da1ce28a3">95a45a2b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-06T19:17:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't try to backup CS.cfg during upgrade if CA is not configured
https://pagure.io/freeipa/issue/7409
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3650e3b95560d78b86d863eb759dab815193d527">3650e3b9</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-03-07T11:31:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: remove fix_trust_flags procedure
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup. With the move to mod_ssl, it now raises an
exception, so remove it.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2b17a086d0cfa3be5e31fecfe7650004cb3de0eb">2b17a086</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-03-08T07:57:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not check deleted files with `make fastlint`
when any file from FreeIPA tree has been deleted there was
a failure like:
pylint
------
************* Module ipaserver/install/ntpinstance.py
ipaserver/install/ntpinstance.py:1: [F0001(fatal), ] No module named ipaserver/install/ntpinstance.py)
Adding --diff-filter to fastlint will not list deleted files
in git diff --names-only output to not include not existing
files to checklist.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9797309ef92f5a4fc831ab9c2349b7c95cb47c95">9797309e</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-03-08T08:05:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Overide trust methods for integration tests
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working
https://pagure.io/freeipa/issue/7313
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c9c58f2d35dfb8a6d1e187d260013812dcfdfd90">c9c58f2d</a></strong>
<div>
<span>by Nathaniel McCallum</span>
<i>at 2018-03-12T17:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix OTP validation in FIPS mode
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a01a24ce5aded934095ea428d539ca30850f72e3">a01a24ce</a></strong>
<div>
<span>by Nathaniel McCallum</span>
<i>at 2018-03-12T17:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase the default token key size
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d498d7272d8de3e24afc442a3b001518fd98ebff">d498d727</a></strong>
<div>
<span>by Nathaniel McCallum</span>
<i>at 2018-03-12T17:29:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.
https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/54ea4aade63e9f69de3efcefe9c8efec93372ac3">54ea4aad</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-03-13T09:09:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-install: handle error when calling kdb5_util create
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions
but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.
The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.
Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.
https://pagure.io/freeipa/issue/7438
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/317c20e9dc673c2165ec4d8cc8875ba2ca59e066">317c20e9</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-13T09:37:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_tests: test signing request with subca on replica
test to verify that replica is able to sign a certificate with
new sub CA.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7960352f1c3a0982ac87d061b9bef8418c2dae48">7960352f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-13T09:52:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Backup HTTPD's mod_ssl config and cert-key pair
https://pagure.io/freeipa/issue/3757
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/105e774914325a42fdfc8233435ea33cba26c602">105e7749</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-03-14T11:25:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-restore: remove /etc/httpd/conf.d/nss.conf
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.
https://pagure.io/freeipa/issue/7440
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5a04936f47de0c60867804391393d18f6e955169">5a04936f</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-14T11:26:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_caless: adjust try/except to capture also IOError
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.
This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.
https://pagure.io/freeipa/issue/7439
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2c05e42af6a8c7bccc1726bf05cf14be451a08fc">2c05e42a</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-03-14T11:28:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing cleanup process in test_caless
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.
That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
replica0.ipa.test.
ipapython.admintool: ERROR The ipa-server-install command failed
```
This commit changes the order of how a replica should be removed from
the topology.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bffcef6bbdc21315d79c783caf3fe3c74f2fe058">bffcef6b</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-03-14T17:05:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Log errors from NSS during FIPS OTP key import
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a3060b5238cd011b972909322491a3b784e66d0d">a3060b52</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-03-15T06:31:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Error message while adding idrange with untrusted domain
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5ef49ffcbcc855239ed4e6c8ee9b362a6d7b56a0">5ef49ffc</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-03-15T08:26:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding more tests to PR CI
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9a6a90bbdfee7fac5426c898f03fa163e24e2598">9a6a90bb</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-03-15T08:26:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: Bump ci-master-f27 template to 1.0.3
This enable us to run WebUI tests
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fd9ede5296afe7bfb52c4128d9dc1721a76f9add">fd9ede52</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-15T11:57:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify Python package installation
Move logic for installing just the Python packages out of the spec file
and into our root Makefile. It removes code duplication to simplify a
spec file that supports building without Python 2.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fa94ef0412c4f24d49aa6dfbd15e3634d52d1ff5">fa94ef04</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-15T11:57:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">autoconf prefers Python 3 over 2
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.
See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7a03a4e9a47d3e86a43fd5c1c035313eadebe50e">7a03a4e9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-16T06:33:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Instrument installer to profile steps
Installer now prints runtime of each step / part to install log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bfd11701188bb1d41bf0d15942b8bd2776cfa159">bfd11701</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-16T06:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Redirect CRL requests to the http port, not the https port
https://pagure.io/freeipa/issue/7433
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d7c23a3ba66f4cbc42ed797b7592ff459914fd0f">d7c23a3b</a></strong>
<div>
<span>by Brian J. Murrell</span>
<i>at 2018-03-16T07:01:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move ETag disabling to /ipa virtual server
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.
This enables better co-existence with other virtual servers that want ETags.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/75f7b7b5e697796fa5be3268e8332937aa15a5a2">75f7b7b5</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-16T10:50:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make fasttest pass without ~/.ipa/default.conf
Some fast tests depend on an api.env with realm, domain, and host. On
machines without ~/.ipa/default.conf, the settings are not available.
Provide dummy values to make tests pass.
Closes: https://pagure.io/freeipa/issue/7432
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/69599560c16c8d3b26d18ccec5b54e54dfea9cab">69599560</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-16T13:25:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Relax message check in test_create_host_with_ip
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.
This fixes a flaky test case on CI.
Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c450e2dc8fac12a26f727ca4ecd0d3d7662e42bc">c450e2dc</a></strong>
<div>
<span>by Alexey Slaykovsky</span>
<i>at 2018-03-16T13:26:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make WebUI unit tests to generate results as JUnit
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.
This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d6468615902180b5819fa550f8b1366db972f1fd">d6468615</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-16T15:35:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update Contributors.txt
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8946bf26545969db1914c42d5661b7f01d731663">8946bf26</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-16T16:44:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.6.90.pre1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3bb3e7555d9dc833ab6a50917acee106cae18c2b">3bb3e755</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-16T18:20:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">VERSION.m4: Set back to git snapshot
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ce8ec5028af0508fe2230a0834b775a0bc9d2cd9">ce8ec502</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-19T09:58:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Pylint 1.8.3 fixes
Teach pylint more about the internals of API to fix various issues with
pylint 1.8.3.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3871fe6de563f0f1ba030174b59cda0a7d8a7456">3871fe6d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-19T14:46:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Keep owner when backing up CA.cfg
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.
Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2b47f8994f7ccd0ee1590cf3b103e85ac996f0bd">2b47f899</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-19T14:48:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require Dogtag PKI >= 10.6
Dogtag 10.6.0-0.2 contains SQL NSS DB fixes and full Python 3 support.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68c7b036893fcdad7cc2364b0fc2a841366493ef">68c7b036</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-19T16:38:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.
The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.
This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.
Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64fca87a52e361718b46aaec8d1d5eea0f5ccdbc">64fca87a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-03-19T16:38:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove the Continuous installer class, it is unused
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a6e6e7f5e44e85017f53c7eb59ef6eb89da16fe5">a6e6e7f5</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-20T09:15:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">More cleanup after uninstall
Remove more files during ipaserver uninstallation:
* /etc/gssproxy/10-ipa.conf
* /etc/httpd/alias/*.ipasave
* /etc/httpd/conf/password.conf
* /etc/ipa/dnssec/softhsm2.conf
* /etc/systemd/system/httpd.service.d/
* /var/lib/ipa/dnssec/tokens
Fixes: https://pagure.io/freeipa/issue/7183
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/83c173cf9d38d252caafcd40267bb1a67c78c1c9">83c173cf</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-03-20T09:28:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: configure dogtag status request timeout
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.
This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them. Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried. Setting a shorter timeout allows the request to be
re-tried.
Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support. It is known that a
value of 5s is too short in HSM environment.
This fix requires pki-core >= 10.6.0, which is already required by
the spec file.
Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/518e3578d12c1189ef4c7e6c60eef8fe762ef786">518e3578</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-03-20T09:44:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix for test TestInstallMasterReservedIPasForwarder
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b947296fe9bada50b17a42ad42794a35286ba3d4">b947296f</a></strong>
<div>
<span>by Alexey Slaykovsky</span>
<i>at 2018-03-20T13:42:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make tox tests to generate results in JUnit XML
As our tox runs pytest it's great to have their results in JUnit
format for later processing.
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ce0b87e9a694004e4ce7a886ef3bac76041be4f5">ce0b87e9</a></strong>
<div>
<span>by Takeshi MIZUTA</span>
<i>at 2018-03-21T07:41:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix some typos in man page
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f31564b35aac250456233f98730811560eda664">0f31564b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-03-21T08:35:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-install: make sure that certmonger picks the right master
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b43e73143de66b0068cd01379c134d5ef6e304e9">b43e7314</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-03-21T14:29:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">realm domains: improve doc text
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.
https://pagure.io/freeipa/issue/7424
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/48acb7d86583c54296bc8334517989ce5a2199ea">48acb7d8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-03-21T21:22:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Processing of server roles should ignore errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2da9a4ca6a060dea106f02269a961d9e6b8bebcf">2da9a4ca</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-03-21T21:22:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update template directory with new variables when upgrading ipa.conf.template
With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b47d6a3654ee05e5751bde8ab32934bd809a7347">b47d6a36</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-03-22T10:33:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e7e06f6d78c299b2ad99f2e6eb00e0a5156d65e5">e7e06f6d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-22T15:17:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Dogtag configs: rename deprecated options
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7cbd9bd429c97d335471b1c739f6d6d63c83c35d">7cbd9bd4</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-23T11:48:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/48fb6d2c87aee50eb81a1678a33cecd89a4ea3d6">48fb6d2c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-23T12:08:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix compatibility with latest pytest
pytest removed copy() method from its Namespace class. Use the copy
module to make a copy of early options.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a678336b8b36cdbea2512e79c09e475fdc249569">a678336b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-03-23T14:31:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: Run configuration upgrade under empty ccache collection
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/830b608d67c8b0b2bfaf4a995d86a583dbcb7ec2">830b608d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-24T13:18:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove py35 env from tox testing
Ever since fa94ef04, only Python3 versions >=3.6 are supported.
Removing py35 env from tox tests.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d8cbd5d3ace7c3b032e9a1f2dc716b9feea1c554">d8cbd5d3</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: change get_http_pkey() function
change get_http_pkey() function to more generic one in
order to get pkey for different services
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/62a131aba0ec14eb5d15e92f7ed45172a2254669">62a131ab</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add_host() support func in test_service
Add add_host() support func into test_service to
create temp hosts.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f5084b9c4cfcb6ed25dd87dca7f58223994765a">0f5084b9</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add_service() support func in test_service
Add add_service() support func into test_service.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/735d48d82080e720d238519d233f6f333c2cf166">735d48d8</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add more test cases to test_certification
Add cases for:
"cancel_cert_request", "cancel_hold_cert", "cancel_remove_hold",
"cancel_revoke_cert" and "revoke_cert"
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cd86fd21c574503eec2c20e8c9fe204b21e6a907">cd86fd21</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add more test cases
Add more test cases to test_services. Details in the ticket.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/01fa54117de5e77f3ec94207e9f66bbfd177ac9e">01fa5411</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add assert_notification()
Add assert_notification() function to check whether
we have a notification of particular type/
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7fb4f755e9046d444bdd4e3e5362e2e15766686d">7fb4f755</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add assert_field_required()
Add assert_field_required() to check whether we
got 'Required field' error message.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/95de6f061cc1959030e25bd4d3e27bb1f962d3bb">95de6f06</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add funcs to add/remove users public SSH key
Add funcs to add/remove users public SSH key.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/18e8c964f574ad9ad17b0dfdaba6b1cbd6def317">18e8c964</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add function to run cmd on UI host
Run shell command on the UI system using "admin"
user's passwd from conf.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/553183944ab808ba0b1b77dd4971c04dd3d3fc0f">55318394</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: make associations cancelable
Adjust associations functions to simulate "cancel"
action.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/16083eb9b56a753fe1ba56fbbad826e7f4dc6e63">16083eb9</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: test cancel and delete without button
Add "confirm_btn" to cancel dialog and if "None" return
for confirmation with "Enter" key.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bf1f2d1c3f16cea1800e773cbf7e8e59203bbbde">bf1f2d1c</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: select_combobox() fixes
Move strict "search_btn" element finding to later so we
do not fail when using combobox without search button.
Also switch open_btn.click() before fill_textbox() as it
is used to close the selection.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5f87b9c3e502a33e50ad1f19bac3825729b9a7bb">5f87b9c3</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-03-24T13:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: run ipa-get/rmkeytab command on UI host
Run ipa-get/rmkeytab command on UI host in order to test whether
we have the key un/provisioned.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5afbe1d26103909760239e62e252b09e5fb3b155">5afbe1d2</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-03-26T07:39:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replica-install: warn when there is only one CA in topology
For redundancy and security against catastrophic failure of a CA
master, there must be more than one CA master in a topology.
Replica installation is a good time to warn about this situation.
Print a warning at the end of ipa-replica-install, if there is only
one CA replica in the topology.
Fixes: https://pagure.io/freeipa/issue/7459
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/47cf159f118de42ba703ad5fa0b47f5fa0bbb894">47cf159f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-26T07:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix upgrading of FreeIPA HTTPD
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.
This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e707d974a396b9b57e753038e57f3de90f9cd37c">e707d974</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-03-26T07:42:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_backup: Backup the password to HTTPD priv key
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7580da414d9335db2e4da81028bdf5e2867ed958">7580da41</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-03-26T07:51:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding Django's Code of Conduct
We will use the Django's Code of Conduct to develop the FreeIPA CoC
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/30ab8c47435ce639a79fbaa6edf34bb978a0aa8f">30ab8c47</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-03-26T07:51:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Changing Django's CoC to reflect FreeIPA CoC
Also including sections "Scope" and "Enforcement" from Contributor
Covenant [1]
[1] https://www.contributor-covenant.org/
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1fe795b75b9b3b123f055fcd620dd45c2535673f">1fe795b7</a></strong>
<div>
<span>by Pavel Picka</span>
<i>at 2018-03-26T11:00:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI Hostgroups tests cases added
Added test for negative (invalid) names
Added test for add/add another/add and edit/cancel buttons
Added test for duplicate records
https://pagure.io/freeipa/issue/7458
Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ccec8c6c4193a204428b7ba0f93dac6f0eb26020">ccec8c6c</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-03-26T13:16:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.
Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b0d8c6c21198e8b0a9604e9ee01c422a6c550c91">b0d8c6c2</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-03-26T13:16:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.
Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/421fc376ccb8668c07692d3a3394a5869dc97296">421fc376</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-03-28T10:30:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix upgrade when named.conf does not exist
Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step
that adds system crypto policy include to named.conf. This step
omitted the named.conf existence check; upgrade fails when it does
not exist. Add the existence check.
Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.
Part of: https://pagure.io/freeipa/issue/4853
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0176e1a68a5b5fc30cb753d6334ddeca8ce3f8c2">0176e1a6</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-03-28T10:42:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add commentary about PKI admin password
Add a note in cainstance.configure_instance that "admin_password" is
the password to be used for the PKI admin account, NOT the IPA admin
password. In fact, it is set to the Directory Manager password.
This comment would have saved me some time during recent
investigation of a replica installation issue.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/34d06b2be71823bc8898732f1ced0185f83afb01">34d06b2b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-03-28T13:29:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow anonymous access to parentID attribute
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.
As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.
While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.
Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/70c6da9c54f7e7926f46f804189a95677acfe5f1">70c6da9c</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-03-28T13:31:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: fix test_host:test_crud failure
test_host.py::test_host::test_crud fails in nightly tests in delete record
step.
It started to fail probably after commit 4295df17a42897f6f59be21c25c5dd03984e35d3
which changed host-add behavior into showing a warning message about DNS resolution
instead of raising an error. This warning notification stays displayed for some
time, as all longer, notifications. By being open it takes some area on the page.
Given that webui tests proceeds quicker than a user, the notification can
cover some elements.
The test fails because web driver cannot click on an element which is covered
by the notification. In this case, it cannot open a deleter dialog.
So the fix is to close the notification(s). This is OK since a user would do
it as well if it was in a way.
This kind of issue is harder to reproduce when testing locally because
most people uses screen resolution 1920x1200 or full HD. PR-CI uses
1400x1200 for web ui testing.
/usr/bin/Xvfb $DISPLAY -ac -noreset -screen 0 1400x1200x8
So alternative fix would be to change resolution used by the PR-CI. Combination
of both could be the best.
https://pagure.io/freeipa/issue/7468
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64438f861947febe5ea10eda56ff89fd8900e80a">64438f86</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-03-28T19:18:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleanup and remove more files on uninstall
* /etc/nsswitch.conf.ipabkp
* /etc/openldap/ldap.conf.ipabkp
* /var/lib/ipa/sysrestore/*
* /var/named/dyndb-ldap/ipa/
* /var/lib/dirsrv/scripts-%s/
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d705320ec136abc2fcf524f2b63a76d3fc0ba97a">d705320e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-03T06:07:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Temporarily disable authconfig backup and restore
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.
Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e7c4f77d0dbd43cbe8ad0d08bde9c19305b999a1">e7c4f77d</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-03T06:10:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6b145bf3e696e6d40b74055ccdf8d14da7828a09">6b145bf3</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-03T06:10:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">temp commit: adding test to PR CI run
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a947695ab034821fb8b70cdc8b66898e5c7ebb45">a947695a</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-03T12:20:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix TestSubCAkeyReplication providing the right path to pki log
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6aca027ecc5c1bbcd1a69deea10d2ff991c53f5e">6aca027e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-04T06:58:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix installer CA port check for port 8080
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5a4e358b00825e982726416797be4606f98a33b8">5a4e358b</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-04-04T08:23:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Correction of management spelling.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/951e5db10c428ca838633d9fcf750ce921cfa7df">951e5db1</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-04-05T09:25:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Correcting detect typo in server.m4
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b7293a91848a7039fab8846dd3c0f45c1b0131a1">b7293a91</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-06T14:00:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TestBasicADTrust.test_ipauser_authentication
test_ipauser_authentication is failing with error: "Confidentiality required"
Password operation must be performed over a secure connection
To start TLS encryption added -ZZ option, in order to be connection successful
https://pagure.io/freeipa/issue/7470
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b82a2295b895b0dcbc8a649ad5865c143f763931">b82a2295</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-09T07:01:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Load librpm on demand for IPAVersion
ctypes.util.find_library() is costly and slows down startup of ipa CLI.
ipaplatform.redhat.tasks now defers loading of librpm until its needed.
CFFI has been replaced with ctypes, too.
See: https://pagure.io/freeipa/issue/6851
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7b1b0b35ea2c89e57c037ac57c453c322af42f0c">7b1b0b35</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-04-09T07:02:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix order of commands in test for removing topology segments
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc4f28de52da5f2a387a4db86bf120cebd65745e">dc4f28de</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-09T07:06:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_webui: add user life-cycles tests
Add user life-cycles test cases.
https://pagure.io/freeipa/issue/7463
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2a6ba687d0efc5209e945291b685386a1d6bbe0a">2a6ba687</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-09T07:06:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_web_ui: extend ui_driver methods
Add close_all_dialogs(),change assert_last_dialog_details() method
to assert_last_error_dialog() to make it more generic and tweak
add_record() method to skip asserts so we can assert later.
We are also changing assert_record_value() to accept list of values
and adding select_multiple_records().
https://pagure.io/freeipa/issue/7463
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/888d9861f86f27531753cc53644b098dc395098d">888d9861</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-09T09:42:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require more recent glibc on F27
On CPUs with AVX-512 instruction set, ntpd sometimes segfaults because
PTHREAD_STACK_MIN is too small. The bug has been fixed in
glibc-2.26-24.fc27.x86_64 or later.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1564527
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/28acbc6c1144f996e9376467c992e219240be38f">28acbc6c</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-09T13:15:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix in IPA's multihost fixture
AD related tests, which aren't require all set of AD machines
were skipped with error msg: Not enough resources configured.
Changed hard coded number of AD machines to use.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7b546ffedb727578a232a4decb7c4f9a620fb67d">7b546ffe</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-09T13:23:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Break out of teardown in test_replica_promotion.py if no config
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bfb544adfdc423fd383fdf7c86a9f6c497ae3750">bfb544ad</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removes ntp from dependencies and behave as there is always -N option
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0090a90ba2ed3b4cba1c86996b352828cc5403a7">0090a90b</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add dependency and paths for chrony
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ca9c4d70a0043152274dfbe7cbb1bb8a1465000a">ca9c4d70</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace ntpd with chronyd in installation
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fb28dfff93b382207635eaa776eb31f99b0f5b2f">fb28dfff</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FreeIPA server is time synchronization client only
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/194518f11fde9d3a3bc449baa019bb536ac9cd31">194518f1</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add --ntp-pool option to installers
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5d9c749e830819e0e12bdd9388b6b0c2542cf906">5d9c749e</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding method to ipa-server-upgrade to cleanup ntpd
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/333acf1ab6dc710d05e1978f72775c77fbef00c7">333acf1a</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update man pages for FreeIPA client, replica and server install
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ece56ea69a24279d416ec2d6c13e06949001534a">ece56ea6</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Removes NTP server role from servroles and description
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dba87a47a7df092a1044c116ef9e7590ebdc8b62">dba87a47</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove NTP server role while upgrading
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/74c2b46cde5bd332bd2ea95854cdb6178c72857d">74c2b46c</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unnecessary option --force-chrony
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/878cbaa232145540f5db7559b2bc317f065f2636">878cbaa2</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add enabling chrony daemon when not configured
Moves chrony enablement and sync attempt to new method
so chrony will be enabled even when not configured.
Add logger info about skipping configuration to client's
installation when not on master and -N is used.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e279d891fe63043bfa6226c59525036670a464f6">e279d891</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-09T15:00:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Configure chrony with pool when server not set
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/395a68d20887d0ac010e480e68b225d6dfeff726">395a68d2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-10T05:58:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Defer import of ipaclient.csrgen
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.
Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9762bd12797e1f01b48ec903c2dcb40649c1e484">9762bd12</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-10T06:17:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide ldap_uri in Custodia uninstaller
Without ldap_uri, IPAKEMKeys parses /etc/ipa/default.conf. During
uninstallation, the file may no longer contain ldap_uri. This workaround
is required for test case
test_replica_promotion.py::TestReplicaPromotionLevel0::test_promotion_disabled
Fixes: https://pagure.io/freeipa/issue/7474
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8246d0cd5a9fc079ff2eb6bfd9fe841f9d416592">8246d0cd</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-10T11:29:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replica-install: pass --ip-address to client install
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/807a5cbe7cc52690336c5095ec6aeeb0a4e8483c">807a5cbe</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-10T15:35:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certdb: Move chdir into subprocess call
According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.
See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1b320ac3e7ab763d932512f2c497288711bc09e8">1b320ac3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-10T15:35:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove os.chdir() from test_ipap11helper
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b7be4cf2be89ab94525db6365cfc8135156e3cfe">b7be4cf2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-12T07:33:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Python dependencies
Fix typo in dependencies and require release of python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/afc0d4b62d043cd568ce87400f60e8fa8273495f">afc0d4b6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-12T18:29:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add nsds5ReplicaReleaseTimeout to replica config
The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.
See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5041b13fc99b227efc9fea19ffd3e0f494118538">5041b13f</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-13T08:30:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
Commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 should not be pushed,
because it was not the intention to add a new test to .freeipa-pr-ci.
This commits reverts its change.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c8fd5630da2de5d3c88cd5fec7787427259f123">7c8fd563</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-16T10:16:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix upgrade (update_replica_config) in single master mode
Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade
step that add an attribute to a replica config entry. The entry
only exists after a replica has been added, so upgrade was broken
for standalone server. Catch and suppress the NotFound error.
Related to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16ea525e249aa3aaeb14a2c56380815d5067131">e16ea525</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T06:18:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: treat duplicate entry when updating as not an error
When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.
Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1dbc6ded723dd1729d69b605f3998d4a9e71f48f">1dbc6ded</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T06:49:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replication: support error messages from 389-ds 1.3.5 or later
389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".
Change the check_repl_update() to handle both formats.
Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64ffd117d2b4938e0935f9ea00d5eb90c0e7b3e6">64ffd117</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T12:28:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: validate AD trust-related options in installers
We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.
Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/692a9931da326d2de00255c494786f90929843eb">692a9931</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-17T14:25:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix format string passed to pytest-multihost
Integration trust test suit failed with error trying to
start chronyd because of bad formating of passed string
See: https://pagure.io/python-pytest-multihost/issue/15
Resolves: https://pagure.io/freeipa/issue/7487
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d4dd2b1ccb065e464ed28fc097b4d06d474617e9">d4dd2b1c</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-18T07:31:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix for integration tests dns_locations
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b43c2f8ab4769a473ba81b23321acda7fd57e94c">b43c2f8a</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-04-19T10:11:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: refresh complex pages after modification
Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.
This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.
https://pagure.io/freeipa/issue/5776
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/105d7d7f2efa6368ca7f7ff9a219540f4e008ea7">105d7d7f</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-19T10:59:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Extend user group tests with more scenarios
1) Extended webui group automation test with below scenarios
Scenarios
*Add user group with invalid names
*Add multiple groups records at one shot
*Select and delete multiple records
*Find and delete records etc...
2) Improved add_record method to support additional use cases:
*confirm by additional buttons: 'Add', 'Add and add another', 'Add and Edit,' 'Cancel'
*add multiple records in one call (uses 'Add and add another' behavior)
https://pagure.io/freeipa/issue/7485
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1a6e36011933e2bb1ef853b10052959b92decc10">1a6e3601</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-19T10:59:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7b18372ed0f6be95e382194ad599b8a35113351">a7b18372</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-19T12:57:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certprofile: reject config with multiple profileIds
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f8593354d8008a501a6e7fa5f142d970face65a">0f859335</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-19T12:57:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certprofile: add tests for config profileId scenarios
Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:
- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2de1aa27f981060acd6a867c89ef963a18cc27df">2de1aa27</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-19T12:59:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.
Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.
Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b5bdd07bc54ca557491652ce61011ae6aa3eb592">b5bdd07b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-20T07:43:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/41352ef9388dbba408762d64b60a6a1f53048bcd">41352ef9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T12:51:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
Only certutil creates files in the local directory. Changing the
directory for pk12util breaks ipa-server-certinstall if the
PKCS#12 file is not passed in as an absolute path.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/138ae4abe7d4737ae2e1c6526476b8be009178db">138ae4ab</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T12:51:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-certinstall failing, unknown option realm
The option realm was being passed in instead of realm_name.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3384147ca1b69f64d197869577e39e7c056bcd51">3384147c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T12:51:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Some PKCS#12 errors are reported with full path names
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4919bd9dae0222509af6ebf4f50ff7602b48c334">4919bd9d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T12:51:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove xfail from CALes test test_http_intermediate_ca
The full chain is not required by mod_ssl.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6c4635e779e8f1c171396c9ffb12948c0878bd79">6c4635e7</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-04-24T09:20:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding test-cases for ipa-cacert-manage
File : ipatests/test_integration/test_external_ca.py
Scenario1: Manual renew external CA cert with invalid file
when ipa-server is installed with external-ca
and renew with invalid cert file the renewal
should fail.
Scenario2: install CA cert manually
Install ipa-server. Create rootCA, using
ipa-cacert-manage install option install
new cert from RootCA
Signed-off-by: Anuja More <amore@redhat.com>
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d73e4a0f169acc3db6388ae8b8e2ecb1e1c62aa">9d73e4a0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-25T06:23:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow dot as a valid character in an selinux identity name
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5165afd50124b057f8ff5bef565bf65f19235656">5165afd5</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-25T09:52:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix trust tests for Posix Support
Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type
https://pagure.io/freeipa/issue/7508
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/07be3306c16c0c8eb729b980c5bd7fdba8343433">07be3306</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-04-25T10:06:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RFE: ipa client should setup openldap for GSSAPI
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA. It currently sets:
URI
BASE
TLS_CACERT
This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI
Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ad2eb3d09b8336008d7f04c3d134c707530d9eb6">ad2eb3d0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T10:14:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CA replica PKCS12 workaround for SQL NSSDB
CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/04e1ae7bf14e5da12cf094e901a73c379657eaf5">04e1ae7b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T10:14:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require 389-ds-base >= 1.4.0.8-1
1.4.0.8-1 contains a bug fix for an error in SASL connection handling.
See: https://pagure.io/389-ds-base/issue/49639
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/236fa61eebc62ece1e17add0d0e5b82a35afeadb">236fa61e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T11:58:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create users in server-common pre hook
The ipaapi user was created in the server package but referenced by a
config file in the server-common package. The server-common package can
be installed without the server package. This caused an error
Unknown user 'ipaapi'
with systemd-tmpfiles --create. The users are now created in the
server-common package.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/13b9608d5c0715e9afb98362112c45bc346bad8b">13b9608d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T12:02:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add augeas dependency to client package
Commit 5d9c749e830819e0e12bdd9388b6b0c2542cf906 add dependency on augeas
Python package, but freeipa.spec was not updated. The python[23]-ipaclient
packages now correctly depend on python[23]-augeas.
Fixes: https://pagure.io/freeipa/issue/7512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53f87ee5cd9d19f6fb91a9a1eafc8ea798095954">53f87ee5</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T12:41:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: fix csrgen error handling
csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3. Fix the error
handling.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7633d62d858c14523a99143aa0ff36f76bb4ff68">7633d62d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T12:41:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: support initialising OpenSSL adaptor with key object
As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37">0ac1d3ea</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T12:41:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: drive-by docstring
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/852618fd6529fbdd7b03077fae37c6fbbe45b51b">852618fd</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T12:41:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: fix when attribute shortname is lower case
OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute. This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").
Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *). If that fails, upper-case the type string and try
again.
Add some tests for the required behaviour.
Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d838210bba10e0033d09826023d66e9fa2374c7">9d838210</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-25T18:53:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding GSSPROXY_CONF to be backed up on ipa-backup
Without GSSPROXY_CONF being backed up, we would get this error
"ipa: ERROR: No valid Negotiate header in server response"
when running any ipa command after a backup restore.
This commit also fixes the tests:
- TestBackupAndRestore::test_full_backup_and_restore
- TesttBackupAndRestore::test_full_backup_and_restore_with_selinux_booleans_off
https://pagure.io/freeipa/issue/7473
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/415578a199a221a3ed78cbf4d629c3e4ff6f39ec">415578a1</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-25T18:53:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.
Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d5245cebcb498cf7c3c98f38784ed4d7d641c38">2d5245ce</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-26T06:31:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise config-server-for-smart-card-auth: use mod-ssl
ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.
The fix replaces references to nss.conf with ssl.conf.
https://pagure.io/freeipa/issue/7515
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84e60e5f998a0c934d1992538a2e3b90b10a2af3">84e60e5f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-26T12:30:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix typo in ipa-getkeytab --help
Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4">994f71ac</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-26T19:19:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use single Custodia instance in installers
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc371b651e5512cf06dd5de932632444f519376c">fc371b65</a></strong>
<div>
<span>by Thierry Bordaz</span>
<i>at 2018-04-27T08:26:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Hardening of topology plugin to prevent erronous deletion of a replica agreement
When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.
https://pagure.io/freeipa/issue/7461
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1df1786b06485139918e412b2e20164a0726d387">1df1786b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T12:01:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Migration from authconfig to authselect
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration
Fixes:
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c36bd38360dd833ed657666d52e243e66b3c0dd5">c36bd383</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T12:01:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">New tests for authselect migration
Add new test for client and server installation when authselect tool
is used instead of authconfig
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e442464509049240bdb05a8bae09ce1291ca6b86">e4424645</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T12:01:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8fe5f8d2e73c5ada6f9f8149d1410c7e26acacf5">8fe5f8d2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T12:01:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: adapt config-client-for-smart-card-auth to authselect
ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/00a8d00ea9f3ac2ce595670f2791b9b6bf20f5e4">00a8d00e</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-27T12:08:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Extend netgroup tests with more scenarios
Extended webui group automation test with below scenarios
Scenarios
*add netgroup with invalid names
*add and delete records in various scenarios
*verify button's action in various scenarios.
https://pagure.io/freeipa/issue/7505
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16a76ad9713afb6b906c7534a5af246b10a3d49">e16a76ad</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T12:19:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: extend test_user suite
Extend WebUI test_user suite with the following test cases:
test_add_user_special
test_user_misc
test_ssh_keys
test_add_delete_undo_reset
test_disable_delete_admin
test_login_without_username
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e43cfaeb5259af20209f986e69769dd6a15b31d9">e43cfaeb</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T12:19:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_driver: extension and modifications related to test_user
In this patch we tune login() in order to test login without
username.
Then we add edit_multivalued and undo_multivalued to test "undo"
and "reset" buttons.
Also there is a new boolean "negative" in mod_record() to switch
button assertion.
Later ssh_key methods were fine-tuned a little to add more keys,
delete all of them and to extend their usage to hosts and id views.
Lastly new method assert_value_checked() was introduced to assert
whether a particular record is checked.
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/61dc15e5ef7cb70f6653d15dc5779c29b88a6348">61dc15e5</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T12:19:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: introduce new test_misc cases file
By this commit we introduce new test_misc cases file to
test various miscellaneous cases that do not fit to other suites.
In this cases that "version" is present in profile`s "about".
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/51b9a82f7cb251ef4ca6e4fa15cac22f7ef1b4e3">51b9a82f</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-04-27T16:06:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding test-cases for ipa-cacert-manage
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d6d768d1aaa958ae77b5941a4f268e12894c226">2d6d768d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-28T06:44:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">idoverrideuser-add: allow adding ssh key in web ui
CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.
Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.
Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3d30cf6034cacceb978ae3bcf918900bcbdece1f">3d30cf60</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-28T07:06:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update project metadata in ipasetup.py.in
Point mailing list to lists.fedorahosted.org
Use HTTPS for all URLs
Drop Solaris and Unix from platforms
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6856a9f46cf7418b4188dbc27bc8c20841739542">6856a9f4</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-28T07:07:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Log service start/stop/restart message
It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.
https://pagure.io/freeipa/issue/7436
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/792adebfabb456d154164387fb7e60acb30f4325">792adebf</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-04-28T14:35:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable SPAKE support using krb5.conf.d snippet
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/73c3495db2dc1df38407aa7b49fed2f222e85bbe">73c3495d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-28T14:35:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use shutil to copy file
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d5e5bd501c8ed8df72562a9acdef922eaa00206e">d5e5bd50</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-30T09:04:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add absolute_import to test_authselect
This is to keep backward compatibility with Python 2
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c66e388dea5d272735dfea53a4329000e90b3c8">3c66e388</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T12:13:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Compatibility with pytest 3.4
The nose_compat plugin uses internal pytest APIs to suspend and resume
the capture manager. In pytest 3.4, the internal APIs have changed and a
public API was added.
The fix is required to run integration tests under Fedora 28.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a4418963ce2fcb56712fce157d877003833fccc5">a4418963</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T17:39:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove contrib/nssciphersuite
The directory contained a script to generate mod_nss configuration
snippet. Since FreeIPA moved to mod_ssl, it is no longer of use.
Fixes: https://pagure.io/freeipa/issue/5673
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c925b44f4348baf674fa8637be21ba0addfe2487">c925b44f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T18:42:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Load certificate files as binary data
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6659392a0a5064b25f8d0b5a2fe805a172b7e586">6659392a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-05-02T09:15:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: fix reported external CA configuration
The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.
Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.
The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2. This could confuse the administrator. Fix
the message.
Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0653d2a17e67a32c9adcca8145afa231f228b855">0653d2a1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T09:18:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Validate the Directory Manager password before starting restore
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ae6c8d2c7a65a85fe64a45b9430a91f9ab97e1d7">ae6c8d2c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T12:12:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle whitespace, add separator to regex in set_directive_lines
We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.
For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16e5cd0a67012feb8ea4bdf316dbce943c56cc2">e16e5cd0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T12:12:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use a regex in installutils.get_directive instead of line splitting
This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5929d5d87255a6d8a00a35c4dd4ad2f75b022cac">5929d5d8</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-05-02T20:44:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use temporary pid file for chronyd -q task
chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/606af69bbd0f0c24c5f52a20041cec147e9cd3f9">606af69b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-03T06:36:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make ipatests' create_external_ca a script
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.
Usage:
ipa-server-install --external-ca ...
python3 -m ipatests.create_external_ca
ipa-server-install --external-cert-file=/tmp/rootca.pem \
--external-cert-file=/tmp/ipaca.pem
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ce3819c3b7fdb511b7e4c38a365629a187d65f75">ce3819c3</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-05-03T08:18:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move krb5 snippet into freeipa-client-common
Also move /usr/share/ipa into freeipa-common by necessity.
https://pagure.io/freeipa/issue/7524
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c1089c44df34c04d5ba4572191a49962e859a92">1c1089c4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-03T12:25:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client package needs sssd-tool
Commit ccec8c6c4193a204428b7ba0f93dac6f0eb26020 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.
See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/63a5feb19f60e46d3ba22ea2d3231eff88002f2a">63a5feb1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-03T14:39:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">authselect test: skip test if authselect is not available
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aa64ef03a04b6e2509924a9f968724232123be3a">aa64ef03</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-03T14:39:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">authselect migration: use stable interface to query current config
The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1adc941d1f1caeffa8cf490783b7819298e828ce">1adc941d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-03T14:44:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">group-del: add a warning to logs when password policy could not be removed
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/648d7c0d38ef99196531e94cd9803c630e7fb05c">648d7c0d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-03T15:34:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable message about log in ipa-backup if IPA is not configured
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.
For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.
In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.
https://pagure.io/freeipa/issue/6843
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/880d9b413477c308eca830818b736164f6b06409">880d9b41</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-04T10:03:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require nss with fix for nickname bug
nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.
Partly revert commit ad2eb3d09b8336008d7f04c3d134c707530d9eb6 with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.
See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/573f13228da7d711d3b22fa7f78f4a78e199288b">573f1322</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-04T19:08:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix certificate retrieval in ipa-replica-prepare for DL0
The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.
https://pagure.io/freeipa/issue/7469
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c17ba11cbae8ffcd852371c21dd0142932861564">c17ba11c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T14:21:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require Dogtag 10.6.1
Dogtag 10.6.1 contains fixes for external CA support.
See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5e4da703245870bed22162cc41236c4261cc65e7">5e4da703</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T14:21:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only run subset of external CA tests
All tests are taking over an hour to execute, which is too long for
PR-CI.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49b4a057f1b0459331bcec2c8d760627d00e4571">49b4a057</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T14:22:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create missing /etc/httpd/alias for ipasession.key
The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.
Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.
See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2a58fe6a3231f070dc979ab64a1deb10b8f085fd">2a58fe6a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T14:23:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Validate the Directory Manager password"
This reverts commit 0653d2a17e67a32c9adcca8145afa231f228b855. The commit
broke full ipa-restore.
See: https://pagure.io/freeipa/issue/7469
See: https://pagure.io/freeipa/issue/7535
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e8fb94e87339b9908ec05fe5274ca51df3a82cf">9e8fb94e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-08T20:39:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">service: allow creating services without a host to manage them
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e64286571739d27822b118c780fbb8825038ae1c">e6428657</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-08T20:39:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/392f44a38a7e97242cfd2145592fbf6038191d09">392f44a3</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-10T08:03:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">mod_ssl: add SSLVerifyDepth for external CA installs
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a885f07d1388deb7c126e7f01b6c0db0085ccaf8">a885f07d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-10T08:05:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow user administrator to change user homedir
https://pagure.io/freeipa/issue/7427
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8a8b641c722ad5ca6ef466605f95e98b27551291">8a8b641c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-05-10T19:52:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/23c23a3cc17288b1fdacc73cca316fd427bcc517">23c23a3c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-05-10T19:52:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing tests on TestReplicaManageDel
This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0
Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ef3f0851f43e733c489a704ca973ba133c6532d4">ef3f0851</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-15T10:56:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: checkbox click fix
We check a box with clicking on label by default however sometimes
when a label is too short (1-2 letters) we are hitting an issue
that the checkbox obscures the label.
https://pagure.io/freeipa/issue/7547
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/897f1cda930d33d32137de3d9a9742336be6531e">897f1cda</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-15T10:57:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: improve "field_validation" method
Often when trying to check e.g. required field we pass the
method another element as parent in order to narrow down a scope
for validation. This way we can just pass "field" name to make the
process easier.
https://pagure.io/freeipa/issue/7546
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8328a555ae5d6e9e0da2b297fbae0065185cd24e">8328a555</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-15T18:13:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update 4.7 translations
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c5ee4e8fc19e5f5ac4076430d571cd60c51fb12">7c5ee4e8</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-05-15T18:15:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server-del do not return early if CA renewal master cannot be changed
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/60e992ca569543b7cf74366a7feece71f62f2db3">60e992ca</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-05-15T18:15:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix test_server_del::TestLastServices
The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.
Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/021b2f6e97fcb4e7390d871faaa28a9d6ab8bfe5">021b2f6e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-15T18:56:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.6.90.pre2
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/230760ffea83a9e9d82a0d23cb7fe3cd8993e271">230760ff</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-15T19:35:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">VERSION.m4: Set back to git snapshot
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a0e846f56c8de3b549d1d284087131da13135e34">a0e846f5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-16T15:32:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return unique error when automount is already or not configured
Use identical return codes as ipa-client-install when uninstalling
ipa-client-automount and it is not configured, or when calling
it again to return that is ias already configured.
https://pagure.io/freeipa/issue/7396
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a0eaa742343de194ecef2ff7c9e3c74e7f35f51f">a0eaa742</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-16T15:32:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Client install should handle automount unconfigured on uninstall
ipa-client-automount now returns CLIENT_NOT_CONFIGURED when it is
not configured. Handle this in uninstall().
https://pagure.io/freeipa/issue/7396
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c61151f6aa0c033834aed70561fc762c06176555">c61151f6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-17T20:55:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint3: workaround false positives reported for W1662
Pylint3 falsely reports warning W1662: using a variable that was bound
inside a comprehension for the cases where the same name is reused for a
loop after the comprehension in question.
Rename the variable in a loop to avoid it.
If the code looks like the following:
arr = [f for f in filters if callable(f)]
for f in arr:
result = result + f()
pylint3 would consider 'f' used outside of comprehension. Clearly, this
is a false-positive warning as the second 'f' use is completely
independent of the comprehension's use of 'f'.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b82af698828354fcfb14200ab0dd5a397185ad59">b82af698</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-05-17T22:36:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Radius proxy multiservers fix
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).
So this kind of behaviour is a bug, as it was determined on IRC.
This patch removes possibility to add more then one radius server
into radius proxy.
Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8d508b8e954aca460949b5151422bf5f59f9eee8">8d508b8e</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-18T10:17:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: extend test_selinuxusermap.py suite
Extend test_selinuxusermap.py suite with new test cases. Details in
the ticket.
We also modify "add_table_associations" to handle "cancel" and
"negative" in the way other methods works.
Lastly, we start using dialog_btn=None to test keyboard confirmation
as we did use it incorrectly with "Negative=True" where it was already
confirmed by "click".
Added tests:
addselinuxusermap_MLS_singlelevel
addselinuxusermap_cancel
addselinuxusermap_disabledhbacrule
addselinuxusermap_MLS_range
addselinuxusermap_MCS_range
addselinuxusermap_MCS_commas
addselinuxusermap_MLS_singlevalue
addselinuxusermap_multiple
addandeditselinuxusermap
selinuxusermap_undo
selinuxusermap_refresh
selinuxusermap_reset
selinuxusermap_update
selinuxusermap_backlink_cancel
selinuxusermap_backlink_reset
selinuxusermap_backlink_update
selinuxusermap_deletemultiple
add_user_selinuxusermap_cancel
add_host_selinuxusermap_cancel
add_hostgroup_selinuxusermap_cancel
selinuxusermap_requiredfield
selinuxusermap_duplicate
selinuxusermap_nonexistinguser
selinuxusermap_invalidusersyntaxMCS
selinuxusermap_invalidusersyntaxMLS
add_usernegative_selinuxusermap
selinuxusermap_addNegativeHBACrule
selinuxusermap_search
selinuxusermap_searchnegative
selinuxusermap_disablemultiple
selinuxusermap_enablemultiple
selinuxusermap_deleteNegativeHBACrule
add_selinuxusermap_adder_dialog_bug910463
delete_selinuxusermap_deleter_dialog_bug910463
https://pagure.io/freeipa/issue/7544
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0959c47676d11fa73ab10fb0559f8dc045d7f8dd">0959c476</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-18T10:17:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: add click_undo_button() func
Add click_undo_button() function to simplify clicking on
particular`s field undo button/s.
https://pagure.io/freeipa/issue/7544
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3508227fc873be005f612a8b5f27a7a9fe1fb1be">3508227f</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-05-18T11:23:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button's action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit
https://pagure.io/freeipa/issue/7540
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c9810e9639095779e9b4f7c8bf37de3d4b8922c">3c9810e9</a></strong>
<div>
<span>by Petr Čech</span>
<i>at 2018-05-18T14:39:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui:tests: Add tests for realmd domains
This patch expands WebUI testing on realmd domains
page. The added tests are:
test_add_single_labeled_domain
test_dnszone_del_hooked_to_realmdomains_mod
test_dns_reversezone_add_hooked_to_realmdomains_mod
test_dnszone_add_hooked_to_realmdomains_mod
test_del_domain_of_ipa_server_bug1035286
test_add_non_dns_configured_domain_positive
test_add_non_dns_configured_domain_negative
test_del_domain_with_force_update
test_del_domain_and_update
test_del_domain_and_refresh
test_del_domain_revert
test_del_domain_undo_all
test_del_domain_undo
test_add_domain_and_update
test_add_domain_with_trailing_space
test_add_domain_with_leading_space
test_add_empty_domain
test_add_duplicate_domaini
test_add_domain_and_revert
test_add_domain_and_refresh
test_add_domain_and_undo_all
test_add_domain_and_undo
test_add_domain_with_special_char
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d4f2f53eb25a03e3a3a4f1f0d6abb5306d52fa75">d4f2f53e</a></strong>
<div>
<span>by amitkumar50</span>
<i>at 2018-05-21T18:32:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: remove plugin config-fedora-authconfig
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.
Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/75e86f2f13cc2abef457593312cdd1b84d99733a">75e86f2f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-22T06:39:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Run PR-CI with Fedora 28
Signed-off-by: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e06c7566fdc540734eb62eb2ff1d149a6378e97a">e06c7566</a></strong>
<div>
<span>by amitkumar50</span>
<i>at 2018-05-22T15:03:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa vault-archive overwrites an existing value without warning
Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.
In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.
This PR addresses the changes agreed in Bugzilla.
Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/952b45a3a44929e325579211502ab020eea27786">952b45a3</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-24T07:54:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Travis: ignore 'line break after binary operator'
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1e5c3d7c6a8ebe09991cf6fc8485e065a03c22d4">1e5c3d7c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-25T14:26:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reproducer for issue 5923 (bytes in error response)
Error response used to contain bytes instead of text, which triggered an
exception.
See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/59ea580046a41aa3c3902871a88b3c7439297461">59ea5800</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-25T18:44:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require python-ldap >= 3.1.0
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dbc3788405b1d57c20946a98e40ca27c8ebac302">dbc37884</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-27T14:05:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8e165480ace76ab97e40e9396293eccff36497e0">8e165480</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-27T14:05:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.
The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/45d776a7bf05f3495dee078c7dd58ed0db13f64a">45d776a7</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-27T14:08:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't try to set Kerberos extradata when there is no principal
This was causing ns-slapd to segfault in the password plugin.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c5ecb8d08827a60f77eda0911a6b39db5badf82">7c5ecb8d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-27T14:08:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Rename test class for testing simple commands, add test
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.
Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/af99032d901d55e56bccdc272cfbf3617de05b53">af99032d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-28T19:25:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).
If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1d70ce850e965a2d5475895aa88668756a6810b3">1d70ce85</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-28T19:25:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test for 7526
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.
Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).
Related to:
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9b8bb85ecac9b40f6f595a1736417da59d34d9d7">9b8bb85e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-29T06:51:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test case for allow-create-keytab
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9a9c8ced30702a6c7ddb09e09f65caaa26b4efba">9a9c8ced</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-29T13:30:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use sane default settings for ldap connections
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.
https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/829998b19b30e5f71c4438598d92afc93a9f0162">829998b1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-29T13:30:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Apply sane LDAP settings to C code
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/172df673dd90446d8c414396c7b6e7c5f05e052f">172df673</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-29T13:30:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refuse PORT, HOST in /etc/openldap/ldap.conf
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.
Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0030118ddc81af2df215a31b3863e0f560332130">0030118d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create kadm5.acl if it doesn't exist
kadmind doesn't start without it, and Debian doesn't ship it by default.
Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7a27651a0a7eaa8cedd15d05fe89116f7b64b3c0">7a27651a</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">constants: Fix HTTPD_GROUP for Debian
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a3a3d6da5bc88e0ec35420fb8f02aa0379248f3a">a3a3d6da</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">paths: Fix some path definitions for Debian.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/86ef31d76081bde396788b6585af96b09dbb3333">86ef31d7</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add mkhomedir support for Debian
Fixes: https://pagure.io/freeipa/issue/7556
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c5ee8ae5297f1686f4af74e74c284860515c2dc6">c5ee8ae5</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">named.conf: Disable duplicate zone on debian, and modify data dir
zone already imported via default zones.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ffdb20aeb31cf3b5f02f261aff11418ee3cf02d2">ffdb20ae</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldapupdate: Add support for Debian multiarch
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.
Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8c0d7bb92ff3d0b13702b41faa47e96f697f222e">8c0d7bb9</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.
Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f47d86c719aa67f62f3d0c54f5270fc0fc8d1393">f47d86c7</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-29T15:03:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move config directives handling code
Move config directives handling code:
ipaserver.install.installutils -> ipapython.directivesetter
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fb16bc933c839b9ce1a57684de416feacd8ac6a2">fb16bc93</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-30T06:18:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require JSS 4.4.4 with fix for sub CA replication
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.
Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version
See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2256f9ef6af5c5eb780a0c5aeadb249ff882549f">2256f9ef</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-30T06:53:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Validate the Directory Manager password before starting restore
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
Only validate the password if the IPA configuration is available
and dirsrv is running.
https://pagure.io/freeipa/issue/7136
https://pagure.io/freeipa/issue/7535
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/59b3eb0433b85f554ba999487288ad18a2be33e0">59b3eb04</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-30T06:53:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for ipa-restore with DM password validation check
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:
1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked
Related: https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1da3eddf56450c4e41d92796fc303fdd0315690d">1da3eddf</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-05-30T13:09:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle compressed responses from Dogtag
We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header. But we don't decompress the
received data. Inspect the response Content-Encoding header and
decompress the response body according to its value.
The `gzip.decompress` function is only available on Python 3.2 or
later. In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file. This commit avoids this
complexity. Therefore it should only be included in Python 3 based
releases.
Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0a87de5ed523e0dc55d42a3e35882928c923e117">0a87de5e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-30T13:09:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Backport gzip.decompress for Python 2
Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.
Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4274b361fe1940adb918572756e80da8dd8900b5">4274b361</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-05-31T10:18:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test to check second replica installation after master restore
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.
related ticket: https://pagure.io/freeipa/issue/7247
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3e4b9cd9693ee0682baf768b20bfa3fce431ca3d">3e4b9cd9</a></strong>
<div>
<span>by Pavel Picka</span>
<i>at 2018-05-31T11:05:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding WebUI Host test cases
Added test cases due to downstream test cases
- negative input
- ssh keys
- csr
- otp
- filter
- buttons
https://pagure.io/freeipa/issue/7550
Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a2e8d989a359690f493930461adf7f52a0cc745d">a2e8d989</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-05-31T15:53:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix elements not being removed in otpd_queue_pop_msgid()
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cf25823e997ef4f5036470413522d9d25d6b11a7">cf25823e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-31T18:12:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Print version string in installer
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/816daf9355ea6a2dc62d0167431920aebc904b88">816daf93</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-06-01T13:40:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add missing space in error string
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3927b0e7b1a6de1734d2e3b4e283dcc7d3f0a406">3927b0e7</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-06-01T13:42:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extended UI test for selfservice permission.
Follwoing scenario added:
- test_add_all_attr
- test_add_and_add_another
- test_add_and_edit
- test_add_and_cancel
- test_add_permission_undo
- test_add_permission_reset
- test_permission_negative
- test_del_multiple_permission
- test_permission_using_enter_key
- test_reset_sshkey_permsission
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/326fd6a70dc9fc9cb4b8bc45f76fe3f6092ee2a2">326fd6a7</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-06-05T18:01:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Match Common Name attribute in Subject
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/992a5f482319369c231456e311bb316dd7747016">992a5f48</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-05T20:34:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f03df5fe41ed43e63ae7b7b63929140110bc85e0">f03df5fe</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-06-07T15:27:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding xfail to failing tests
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.
TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2b3eb5c567e1e5d4fe7d945e36615cef3dd4d144">2b3eb5c5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-07T16:55:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable Schema Compat plugin during server upgrade
If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.
When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.
Upon restoring it will always write the camel-case version.
https://pagure.io/freeipa/issue/6721
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f976f6cfd8d3ca1f9bff822278086df1f999fdbe">f976f6cf</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-08T08:49:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.
https://pagure.io/freeipa/issue/6610
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b1f368c6829068bd3f5100829f9b36f479cc403c">b1f368c6</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-06-08T12:03:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: fixes for issues with sending key and focus on element
Fixes 2 issues in WebUI tests. One issue is that we are unable to
confirm a dialog by "Enter" keyboard - "actions.click()" helps
here to get focus on the page.
Second issue is probbaly related to screen resolution as we cannot
click to some of the action buttons (buttons which are having issue
varies).
https://pagure.io/freeipa/issue/7583
Reviewed-By: Pavel Picka <ppicka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/533307382ad8212567337793bd42991885769a58">53330738</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-10T16:33:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use one Custodia peer to retrieve all secrets
Fix 994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4 was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ed52baba0d34f2c0799c4ca3df074c367faa938f">ed52baba</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-11T06:44:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make Python 2 build dependency optional
The specfile now uses three variables to determinate how to handle
Python support.
with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages
"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.
The patch also cleans up and fixes additional issues:
* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
were packages with Python 2 RPMs although they had a Python 3 shebang.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/390251d3dd19a6df4bba4116b9b5e6759322059a">390251d3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-11T06:44:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Always build Python 3 packages
Remove with_python3 checks and always build Python 3 packages.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ec9ea73b630499a239ebfa8aef73f0e529001f3e">ec9ea73b</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-06-11T08:48:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Uninstall fix for named-pkcs11
Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.
Fixes backup/restore tests runs. Maybe something else.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/283987c1dff716bcfa77569d53cf7809b3f0b98a">283987c1</a></strong>
<div>
<span>by Aleksei Slaikovskii</span>
<i>at 2018-06-11T08:48:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
This reverts commit 415578a199a221a3ed78cbf4d629c3e4ff6f39ec.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fe70a9e62b9a97ef5b4fb5426034cce1f38cf536">fe70a9e6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-11T10:20:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Suppress missing cn=schema compat on installation
The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.
Check to see if it is configured at all before trying to
disable it.
https://pagure.io/freeipa/issue/6610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c74f65ef235391c641a40e78fdd877cb04613e9c">c74f65ef</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-11T16:02:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Split external_ca PR-CI into two jobs
The external_ca job takes about 38 minutes of testing. Split the tests
into TestExternalCA (~17 minutes) and TestSelfExternalSelf +
TestExternalCAInstall (~20 minutes).
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f5a04da95ddd5ab89b356fdc33d3981dfddc3c3d">f5a04da9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-12T06:38:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of commands description in API Browser
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/114e46b7c946be69c174d2b8b07f5d527b6b7c4c">114e46b7</a></strong>
<div>
<span>by Kaleemullah Siddiqui</span>
<i>at 2018-06-13T20:23:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test coverage for multiservers for radius proxy
Test checks that no multiservers can be added for
radius proxy
Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7d12bbb99bee40188168523ff685b7e8e573ba17">7d12bbb9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-14T07:04:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/907e1649580b8677d56da6207731addc178dca80">907e1649</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-15T06:30:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f1d5ab3a03191dbb02e5f95308cf8c4f1971cdcf">f1d5ab3a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-15T11:02:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4f4835a724c18f71318296609293a27efee6e308">4f4835a7</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-06-18T12:53:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test for ipa-replica-install fails with PIN error for CA-less env.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/eda831dba1e09e7f4660c64756343538042b48e0">eda831db</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-06-19T06:51:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Installer: configure authselect with-sudo
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f90e137a173385f2ff7622c6430a6178bccd730c">f90e137a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-19T06:56:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Sort and shuffle SRV record by priority and weight
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/57fd79ffce8f655ae39f6e15b3f40632b4ddbd4b">57fd79ff</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-19T07:09:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace some test case adjectives
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bdc3e3c58c94982e2c65c07823bd7e15041a87e8">bdc3e3c5</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-06-19T10:44:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extended UI test for Certificates
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f1c7d3c27839709808f67791274215fd2555ad40">f1c7d3c2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-19T12:37:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Start to deprecate Python 2 and 3.5
Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.
No longer claim support for Python 3.5. Python 3.5 is untested.
NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d278720db4af334bc32575a02e7a555f5a896c6">2d278720</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-06-19T12:58:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: extend test_config.py suite
Extend test_config.py suite with new test cases.
Added tests:
config_email_undo
config_groupsearch_reset
groupsearchfield_blank
groupsearchfield_existing
groupsearchfield_leading_space
groupsearchfield_notallowed
groupsearchfield_trailing_space
usersearchfield_trailing_space
sizelimit_blank
sizelimit_letter
sizelimit_space
timelimit_blank
timelimit_letter
timelimit_negative
timelimit_space
userDefaultShell_blank
userDefaultShell_leading_space
userDefaultShell_new
userDefaultShell_specialchar
userDefaultShell_trailing_space
useremail_leading_space
useremail_new
useremail_trailing_space
usergroup_new
userhomedir_blank
userhomedir_leading_space
userhomedir_numbers
userhomedir_space_inbetween
userhomedir_specialchar
userhomedir_trailing_space
usermigrationmode_disable
usermigrationmode_enable
usernamelength_blank
usernamelength_letters
usernamelength_max
usernamelength_new
usernamelength_space_inbetween
usernamelength_specialchar
userpwdexpnotify_blank
userpwdexpnotify_letters
userpwdexpnotify_max
userpwdexpnotify_space_inbetween
userpwdexpnotify_specialchar
usersearchfield_blank
usersearchfield_existing
usersearchfield_leading_space
usersearchfield_new
usersearchfield_notallowed
https://pagure.io/freeipa/issue/7576
Reviewed-By: Pavel Picka <ppicka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0b794cd43b0e8a18517cbccdec2f183ce4cb38ec">0b794cd4</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-06-19T16:06:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix dependency for *-domainname.service file
FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.
Fixes:
https://pagure.io/freeipa/issue/7591
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b96906156be37a7b29ee74423b82f04070c84e22">b9690615</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-20T06:38:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve console logging for ipa-server-install
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:
The ipa-client-install command was successful
This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.
In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8ea227451f4d85dbca6a331a607d25744e85121b">8ea22745</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-20T06:38:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop attr defaultServerList if removing the last server
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/00ddb5dd53a2eb21cd7c97167b8a5f87ab728b07">00ddb5dd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-20T06:38:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server install: drop some print statements, change log level
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/036d51d5143a142e6a3070e6328a7bcd9b2125f0">036d51d5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-06-20T06:38:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle subyptes in ACIs
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):
userattr="ipaAllowedToPerform;read_keys#GROUPDN";
The regular expression pattern needed to be updated to handle
this case.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9ead70844e656b0b49433154e748769894cfb2ba">9ead7084</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-06-20T08:06:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test that host can remove there own services
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84ae625fe2c3786f7c5430f23a55c171ff54e110">84ae625f</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-06-20T10:42:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">check nsds5ReplicaReleaseTimeout option was set
Check for nsds5ReplicaReleaseTimeout option was set
relates to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8c3ff0308c95793a6809b8e0a3ed2a145ad3c8ea">8c3ff030</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-21T09:49:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Always set ca_host when installing replica
ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.
Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f4716b69910f082a2fe039338f4268d941792258">f4716b69</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for format method to translation objects
For now translation classes have old style % formatting way only.
But 'format' is convenience, preferred in Python3 string formatting method.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/854597c411764b603ebbe15d97dbcadac321548d">854597c4</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use intended format() method of translation object
Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/65414d1471fde54f41129d9641c0fec7160f0896">65414d14</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix formatted translations in domainlevel plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/229f1608db868ced234e84e0bc7e949decd3e75e">229f1608</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of idrange_* commands description
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6f245db8eacb9bdc1e248b4f6f25e5eb785478c4">6f245db8</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix formatted translations in trust plugin
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1dfdbfd8bf9657e4066a3ba5f847dbcb35228f0c">1dfdbfd8</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix formatted translations of error messages in serverroles plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4b3bc490d3be109ea048f165a1929438760d8a54">4b3bc490</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T13:30:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix formatted translations of error messages in topology plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6fb45d2f5649e516b0e6b865d07649a8583f90e6">6fb45d2f</a></strong>
<div>
<span>by Tomas Krizek</span>
<i>at 2018-06-21T13:54:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_dnssec: re-add named-pkcs11 workarounds
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.
This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.
Run DNSSEC tests on PR-CI
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dae4aac912123db5f8152c566b96c2183b8a0cdc">dae4aac9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-21T13:54:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: Set default TTL for DNS zones to 1 sec
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.
This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.
This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3a8f0bb16b9201089638eb4cbbcfe032be878ddc">3a8f0bb1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-21T13:54:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove restarted_named and xfail
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.
Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.
See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/32ed10caf95973a0103d1257a1074e0343a91f47">32ed10ca</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T16:42:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Apply validate_doc() to NO_CLI commands
This should prevent from NO_CLI commands have no translatable
description or have no one at all in Web UI API Browser.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c1f7a14c95fbf1d247f63c343fdd6a5773e1ab16">c1f7a14c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-06-21T16:42:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix some untranslatable commands in Web UI API Browser
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/de8d308196bab1dac5bba7a8a6a517a1e67e877f">de8d3081</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-06-21T18:42:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver config plugin: Increase search records minimum limit
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/14c869b347e488e40544ee1e6c4b35341124c76c">14c869b3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-22T11:01:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve and fix timeout bug in wait_for_entry()
replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.
Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.
See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1b966f708aa33c07f68fc30daaf6e4800a6b4a53">1b966f70</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-22T11:01:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use common replication wait timeout of 5min
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ad838c37a9ca2d1c5a2e0becf73ddacb004b3ab6">ad838c37</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-22T11:01:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix replication races in Dogtag admin code
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.
The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.
setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.
Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c7ac8b91db19094e7c22b35afd47351a44bd2526">c7ac8b91</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2018-06-22T15:02:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DOAP Description for IPA Project
https://pagure.io/freeipa/issue/2536
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/89ae4341311df1e64a499c69ef762de3ffb1b369">89ae4341</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2018-06-22T15:02:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding modified DOAP file
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e90d90c5c36c5c415613930baf8559f47362b446">e90d90c5</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-06-25T08:37:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
related ticket: https://pagure.io/freeipa/issue/7316
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Replaced hardcoded issuer CN for external ca with constant
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0e21d933916b71d901310db6d16694401c289dd9">0e21d933</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-25T11:41:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use 4 WSGI workers on 64bit systems
Commit f1d5ab3a03191dbb02e5f95308cf8c4f1971cdcf increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.
See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba8cbb8c62d270772a9d70f5b2ca3bdab1e75d49">ba8cbb8c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-27T09:05:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ensure that public cert and CA bundle are readable
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1434f2a203b123c8fedfa464f22ce13de89897de">1434f2a2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-27T09:05:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Always make ipa.p11-kit world-readable
Ensure that ipa.p11-kit is always world-readable.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/89b2137dc257dfe3db0ff097e6c797223c2b5664">89b2137d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-27T09:05:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make /etc/httpd/alias world readable & executable
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.
Note: executable for a directory means, that a process is allowed to
traverse into the directory.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c2eb0f1612c920d03a8fd14863412c9cef275a3d">c2eb0f16</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-27T09:05:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix permission of public files in upgrader
Make CA bundles, certs, and cert directories world-accessible in
upgrader.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/39ac5f442a73aceb8690a5f07fcf08ea71893962">39ac5f44</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-06-27T11:31:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: extend test_pwpolicy.py suite
Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574
Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/81f36df7acdccac9b66d2e10adf9a04f8fb7fadd">81f36df7</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-06-27T15:49:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/dcerpc.py: handle indirect topology conflicts
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.
Use realmdomains to find a correct exclusion entry to build.
Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d622be295a8c61fc3b3213527de1684c4af6a7ac">d622be29</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-06-27T18:25:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent the creation on users and groups with numeric characters only
Update regular expression validator to prevent user and group creation.
Fixes: https://pagure.io/freeipa/issue/7572
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a39f65634036bc173bcb99120a41447d9ea1bfeb">a39f6563</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-06-28T09:41:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: enable and start oddjobd if mkhomedir
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called
Fixes:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7bf99e8dc57c78444f0d7fbeeaeae8071dc22503">7bf99e8d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-06-28T09:41:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.
Related to:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0128b3f92ec2b9372fe9ff4d2120af9ca7fbd9a0">0128b3f9</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-06-29T08:31:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/52cdd213b4320ef463c4d0053b436511e3f53709">52cdd213</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-29T13:48:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Catch ACIError instead of invalid credentials
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.
Apparently no manual or automated test ran into the timeout during
testing.
Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f8159d0be003ebd9baefcb76f07375fccc6f5a13">f8159d0b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-29T15:20:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Pythhon3.7: re module has no re._pattern_type
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4084189f0983fb203d9b33888fbbc350cd1814d3">4084189f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-06-29T15:20:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Class node has been renamed to ClassDef
nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/627cb490d2919daa8bd11310df987fced4bf9354">627cb490</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-03T13:37:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend CALessBase::installer_server to accept extra_args
Allow callers to pass abitrary extra arguments to the installer.
This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/00dceb434d0cd7aeddbd3c3eec04d5ac4efea61e">00dceb43</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2018-07-03T13:37:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Skip zone overlap check with auto-reverse
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dcaa62f6a4e0a57de9d0affda584a27539bc4a36">dcaa62f6</a></strong>
<div>
<span>by Nikhil Dehadrai</span>
<i>at 2018-07-03T15:04:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test for improved Custodia key distribution
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6896c90eb25ffa6ab1ae64efa06b1f8c854aaed6">6896c90e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-04T07:32:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.
See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7627a7d8a226dc274ba8e9fdd0804edefdba2c6">a7627a7d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-04T07:32:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require JSS 4.4.5 with replication fixes
JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.
See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e140d198eaf6982a966b2d0bf3edbd091142a894">e140d198</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-07-04T13:21:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: stabilization fixes
This patch aims to fix the following tests which seems to be quite
unstable recently:
test_user::test_actions - closing notification and moving to element
to have screenshot of current place.
test_user::certificates - add wait() / close_notification
Also adds missing @screenshot decorator to test_user_misc method.
Reviewed-By: Pavel Picka <ppicka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/79391ad8e1e15af14b86167fb110c139d291a0a0">79391ad8</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-04T13:21:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: fix test_config::test_size_limits
Fix a regression caused by: https://pagure.io/freeipa/issue/7606
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/417f74868276cf67580d39d82f5bbfe96c83d62c">417f7486</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-07-04T14:03:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_tests: ipa-replica-prepare stuck on user input
TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.
https://pagure.io/freeipa/issue/7615
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53c549664795f54dbc337e45aeba84fbff843109">53c54966</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-05T17:42:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: Update how comments are added by ipachangeconf
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.
IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.
New settings will be added without any note.
Issue: https://pagure.io/freeipa/issue/5202
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/198a2c61129675b928bb7a970d5fc4c63a032456">198a2c61</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-05T17:45:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9c86d35a3f0af4a793fada7dfe726e9cc66782ea">9c86d35a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-05T17:46:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e8d33ccfd16dc82cfe383bb36eb15db60dafb19d">e8d33ccf</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-05T21:09:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-install: fix zonemgr argument validator
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f0121f875bdb017b0636c02a6f5660e8a,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c2ca14118f3396b2b4ca4ac4d4d986569349415">7c2ca141</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-06T11:26:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/10457a01bf6077e6978b3672dbbd7dc86a170e91">10457a01</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-06T11:26:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only create DNS SRV records for ready server
When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.
The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7284097eedef70dd556270732e6ab8e23501ce09">7284097e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-06T11:26:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Delay enabling services until end of installer
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e32cfd14a9559a126e29f8c0215e3e80bf3924f6">e32cfd14</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-07-06T15:40:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa client uninstall: clean the state store when restoring hostname
When ipa client was installed with the --hostname= option, it stores
[network]
hostname = (current hostname)
in /var/lib/ipa-client/sysrestore/sysrestore.state and changes the hostname
from (current hostname) to the value provided in --hostname.
During uninstall, the previous hostname is restored but the entry does
not get removed from sysrestore.state. As the uninstaller checks if all
entries from sysrestore.state have been restored, it warns that some
state has not been restored.
The fix calls statestore.restore_state() instead of statestore.get_state()
as this method also clears the entry.
https://pagure.io/freeipa/issue/7620
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8fa767622f2e3f40109cbb85b7d3dccfd4e33a2e">8fa76762</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-06T15:53:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix CA topology warning
Commit 7284097eedef70dd556270732e6ab8e23501ce09 kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f29412729e0a6b81f42043a93682bd944f0afa8a">f2941272</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-06T16:25:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replicainstall: DS SSL replica install pick right certmonger host
Extend fix 0f31564b35aac250456233f98730811560eda664 to also move
the DS SSL setup so that the xmlrpc_uri is configured to point
to the remote master we are configuring against.
https://pagure.io/freeipa/issue/7566
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b274da726b896730b47d47f4ad664c5c0583b469">b274da72</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-07T08:20:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace file.flush() calls with flush_sync() helper
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.
Commit 8bbeedc93fd442cbbb9bb70e5f446011e95211db introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.
However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.
Issue: https://pagure.io/freeipa/issue/7251
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/199d50a4c8ac2dd96a8bca3af4a90e4a9c05adf9">199d50a4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-09T12:36:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix race condition in get_locations_records()
The method IPASystemRecords.get_locations_records() has a race condition.
The IPASystemRecords object creates a mapping of server names to server
data. get_locations_records() uses server_find() again to get a list of
servers, but then operates on the cached dict of server names.
In parallel replication case, the second server_find() call in
get_locations_records() can return additional servers. Since the rest of
the code operates on the cached data, the method then fails with a KeyError.
server_data is now an OrderedDict to keep same sorting as with
server_find().
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/811b0fdb4620938963f1a29d3fdd22257327562c">811b0fdb</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-09T16:20:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tune DS replication settings
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fcb2a06931ea98cd4c5a8d809718f85500de400f">fcb2a069</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-09T16:27:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix link to browser configuration guide on Login page
There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.
Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1fa2a7cd41095295ebee5cd3b280507580ba8fbb">1fa2a7cd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-09T18:15:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Auto-retry failed certmonger requests
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.
A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.
Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2b669c52a566382eecbed1511640f647d54f5b55">2b669c52</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-09T18:15:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Wait for client certificates
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9222a08c288159a7a150923a2eb825a47da36a13">9222a08c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-10T15:51:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix DNSSEC install regression
7284097eedef70dd556270732e6ab8e23501ce09 introduced a regression in
DNSSEC master installation. For standalone and replica installation,
services have to be enabled before checking bind config.
Fixes: https://pagure.io/freeipa/issue/7635
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b4ad0d19a20cc66690e7f4e9c4327afeedff2ab2">b4ad0d19</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-11T08:11:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pylint 2.0 return-related violations
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0c1010d6f7585095402f47c111b8bb6cde3068b3">0c1010d6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-11T08:50:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark all expected failures as strict
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.
Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ec65590c9f2e00d0e527e7bbf521a0b99997788c">ec65590c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-11T08:50:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix XPASS in test_installation
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.
See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f48f00c692d10541171ff5267cf20ccee74f2ad5">f48f00c6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-11T12:35:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint 2.0: node.path is a list
In pylint 2.0 and astroid 2.0, node.path has become a list. It's usually
a list of one element unless namespace packages are involved.
See https://github.com/PyCQA/astroid/commit/7f46f9341cc54bbe6763409c4ca7ea3adfec098a#diff-f0ac879524bcb98964f7d8738a084820
See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba954efafdb3e430c76dfc327d2b683ac0e117eb">ba954efa</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-12T06:49:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix pylint 2.0 conditional-related violations
In order to support pylint 2.0 the following violations must be fixed:
- `chained-comparison` (R1716):
Simplify chained comparison between the operands This message is
emitted when pylint encounters boolean operation like
"a < b and b < c", suggesting instead to refactor it to "a < b < c".
- `consider-using-in` (R1714):
Consider merging these comparisons with "in" to %r To check if a
variable is equal to one of many values,combine the values into a
tuple and check if the variable is contained "in" it instead of
checking for equality against each of the values.This is faster
and less verbose.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f89e501ee13ce4d5f23ef33e3acacb181788fa5e">f89e501e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-12T13:26:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle races in replica config
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.
ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ca7cece13303b3610a71b9e2a0adcb462006382b">ca7cece1</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-07-12T13:38:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI build: replace uglifyjs with system package
UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.
On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/df95ba598313b8b03a492a3c89af151ef0faa08d">df95ba59</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-07-12T13:38:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI build: use NodeJS instead of Rhino
Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.
The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).
Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.
Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/19c3f173d9c824eaa099b07d2ea341acf42f12f2">19c3f173</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-07-12T13:38:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update Dojo and Dojo builder to 1.13.0
This is a result of the previous commits. Building the Dojo builder
was bit more complex as it was:
1. patched Dojo sources
2. built from Dojo builder sources.
3. moved to it's location in FreeIPA project
4. built by util/make-builder.sh (does minimazation and replaces
itself)
Then Dojo layer is built by just:
1. util/make-dojo.sh
This process was documented some time ago at:
https://www.freeipa.org/page/V3/WebUI_build
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/10de2f37a25e1781026014ef1ee7180b17e8f422">10de2f37</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-12T16:19:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tab completion and history to ipa console
ipa console is a useful tool to use FreeIPA's API in an interactive
Python console. The patch adds readline tab completion and history
support.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5affc9b982f6314fc6d1c63fb687acee20f5144b">5affc9b9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-12T16:19:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create helper function to upload to temp file
upload_temp_contents() generates a temporary file on the remote side and
uploads content to that temporary file. The file name is returned.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/87904b8f6b7ebe4900572e45199449d8b7e47cc0">87904b8f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-12T16:19:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa console filename
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.
ipa console now uses compile() to compile the code with print_function
__future__ feature.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4fc7f72648df0ae03ac90f701425e297db72e9d6">4fc7f726</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-13T17:56:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Teach pylint how our api works
pylint 2.0 is more strict and complains about several aspects of
ipalib.api. It turns out that AstroidBuilder.string_build() can be used
to easily teach pylint about object attributes and attribute values.
Although the assignment wouldn't work with the actual implementation,
the string builder assignments shows pylint the names and values of
members. It works without additional transformation.
See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aacf185ff8eb1bf6b54e0ba893ca4e750cb69564">aacf185f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-13T17:56:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add pylint ignore to magic config.Env attributes
pylinti 2 is having a hard time to handle name mangled, magic attributes
correctly. Double under attributes like __d are internally renamed to
_Env__d. After multiple failed attempts, it was easier to just add more
pylint disable to the implementation.
pylint 2 also thinkgs that Env.server is defined much later or the env
doesn't have that member at all. Ignore the false warnings, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d13571942e41370fdbd2b6f9960c484fa61c3404">d1357194</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-14T10:04:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Pylint 2.0 violations
Fix the following violations aiming to support Pylint 2.0
- `unneeded-not` (C0113):
Consider changing "not item in items" to "item not in items" used
when a boolean expression contains an unneeded negation.
- `useless-import-alias` (C0414):
Import alias does not rename original package Used when an import
alias is same as original package.e.g using import numpy as numpy
instead of import numpy as np
- `raising-format-tuple` (W0715):
Exception arguments suggest string formatting might be intended Used
when passing multiple arguments to an exception constructor, the
first of them a string literal containing what appears to be
placeholders intended for formatting
- `bad-continuation` (C0330):
This was already included on the disable list, although with current
version of pylint (2.0.0.dev2) violations at the end of the files
are not being ignored.
See: https://github.com/PyCQA/pylint/issues/2278
- `try-except-raise` (E0705):
The except handler raises immediately Used when an except handler
uses raise as its first or only operator. This is useless because it
raises back the exception immediately. Remove the raise operator or
the entire try-except-raise block!
- `consider-using-set-comprehension` (R1718):
Consider using a set comprehension Although there is nothing
syntactically wrong with this code, it is hard to read and can be
simplified to a set comprehension.Also it is faster since you don't
need to create another transient list
- `dict-keys-not-iterating` (W1655):
dict.keys referenced when not iterating Used when dict.keys is
referenced in a non-iterating context (returns an iterator in
Python 3)
- `comprehension-escape` (W1662):
Using a variable that was bound inside a comprehension Emitted when
using a variable, that was bound in a comprehension handler, outside
of the comprehension itself. On Python 3 these variables will be
deleted outside of the comprehension.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a2e6864faae60a6db9711db386bd3027c83952e">6a2e6864</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-16T10:23:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fedora 29: No longer build python2-ipaserver
Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.
On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3ccd512dab1ce325aad99c39e71ade36db826028">3ccd512d</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-16T15:03:35Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable Pylint 2.0 violations
Globally disabling the following violations:
- `assignment-from-no-return` (E1111):
Assigning to function call which doesn't return. Used when an
assignment is done on a function call but the inferred function
doesn't return anything.
- `keyword-arg-before-vararg` (W1113):
Keyword argument before variable positional arguments list in the
definition of %s function When defining a keyword argument before
variable positional arguments, one can end up in having multiple
values passed for the aforementioned parameter in case the method is
called with keyword arguments.
Locally disabling the following:
- `subprocess-popen-preexec-fn` (W1509):
Using preexec_fn keyword which may be unsafe in the presence of
threads The preexec_fn parameter is not safe to use in the presence
of threads in your application. The child process could deadlock
before exec is called. If you must use it, keep it trivial! Minimize
the number of libraries you call into.
https://docs.python.org/3/library/subprocess.html#popen-constructor
Fixed violations:
- `bad-mcs-classmethod-argument` (C0204):
Metaclass class method %s should have %s as first argument Used when
a metaclass class method has a first argument named differently than
the value specified in valid-metaclass-classmethod-first-arg option
(default to "mcs"), recommended to easily differentiate them from
regular instance methods.
- Note: Actually `cls` is the default first arg for `__new__`.
- `consider-using-get` (R1715):
Consider using dict.get for getting values from a dict if a key is
present or a default if not Using the builtin dict.get for getting a
value from a dictionary if a key is present or a default if not, is
simpler and considered more idiomatic, although sometimes a bit slower
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4edcf8e53cc291b754982582dc39453c67806bed">4edcf8e5</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-07-17T13:14:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark DL0 TestReplicaManageDel tests as xfail
Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.
https://pagure.io/freeipa/issue/7622
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7dadedc16b83e9cf2c1c10f2d963b4f99ab583b6">7dadedc1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-17T14:52:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use python2_sitelib in spec file
%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/904458a493f7dab34d664b3d0cc866bd54c9879f">904458a4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-17T14:52:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update builddep command in BUILD.txt
It's no longer necessary to specify "with_python3" to get Python 3
dependencies.
python3-tox pulls in Python 2.6, 3.3, 3.4, 3.5, and pypy as weak
dependency. Use --setopt=install_weak_deps=False to make a build
environment leaner.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/653f327b6ad67da532d84cd29a617e6dbbca17b9">653f327b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-17T14:52:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add more RHEL customizations to spec file
- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/34fe4b1dd421910a5c8d2cbf96226580f8297bcd">34fe4b1d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-17T14:52:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove needless use of %defatt
Original patch by Jason Tibbitts <tibbs@math.uh.edu>
See: https://src.fedoraproject.org/rpms/freeipa/c/9cdadfb7d0d60982dfdadbb9655f44dc43b01549?branch=master
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ab0835f91f83e295b6ef2875af6470056acdaf76">ab0835f9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add endpoint for serving i18n requests
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process. This endpoint serves i18n requests
only.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/86b57236c07e72907cda92c09a219b86200dff09">86b57236</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable authentication to endpoint for serving i18n requests
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/de58b80891aab54ef0439449295846b7470724e6">de58b808</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement "translations" AMD
This module is used to get translated messages via JSON
request in a synchronous manner. To ensure translatability
i18n messages should be initialized before any other JS code
interacted with user is run.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9492fb7f866c2e8cab269c4131d1a67ff6841af2">9492fb7f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add dependency to "translations" module
To ensure translatability i18n messages should be
initialized before any other JS code interacted with user
is run.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c0c6b21ba19da4b0c609868c2f95433077341ef7">c0c6b21b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Stop fetching translations at metadata phase
Now i18n data is loaded at "translations" module resolve,
on which "text" module depends. Therefore, there is no
need to do it twice.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5d8fde0ac1a43c8f3dbc53b44d69f3663a8b36fb">5d8fde0a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translations at LoginScreen widget
To be translatable title and label fields should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2a81ec3b94712e822f7d3a5452974626c4d5c42c">2a81ec3b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translations at login plugin
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6bc37150459c779b46ded736a69637188fa95dd7">6bc37150</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translations at load_page plugin
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7f9f59bae2a362ce945c49ad8342393b7a5c024f">7f9f59ba</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of profile menu
To be translatable label field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c4467aaeea6f255d181e286973bff2c1c6dc7280">c4467aae</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add static JSON dump of i18n_messages request
The JSON test data is needed to UI unit tests.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b8607e24d610a240a2501fdfe0242233fa00e2e2">b8607e24</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Web UI 'get_entity_param' test
"IPA.init()" is no longer responsible for "IPA.messages".
So "ipa_init" test JSON data must not contain "texts".
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0dace623ab1c96b7af8fd64028c9e37d2b10f788">0dace623</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for JSON request in HTTP test class
"urllib.parse.urlencode()" brokes JSON request's data.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0908e80d62146c79c4312effb8e285c13294ec4b">0908e80d</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for Accept-Language in HTTP test class
"Accept-Language" is used to test translations.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f49fac7bda8150aee2086be9afdbe4eb81c3f18a">f49fac7b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for "i18n_messages" end point
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bb67eea1054c9fe80b8bba67c7dc2c0991a1b991">bb67eea1</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Web UI "details lifecycle" test
IPA doesn't provide "messages" anymore.
"text" module should be used instead.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4b2af2570aee6b108504e14330d61bf65a52905c">4b2af257</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-07-17T19:32:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Stop usage of "IPA.messages" in Web UI "utils" tests
IPA doesn't provide "messages" anymore.
But actually ones are no needed for these tests.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/717d59e2fe3cc0318b50f4ee51f4a4e0b963d31d">717d59e2</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-07-18T07:53:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix regression: Handle unicode where str is expected
Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.
Issue: https://pagure.io/freeipa/issue/7626
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/759e8355c8b0e4c665e038f3e5bc44b0ca9e279d">759e8355</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-18T07:54:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update 4.7 translations
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/47e6f00a64453ab7f278977968546043de009fc4">47e6f00a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-19T06:39:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update Contributors.txt
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/59ef5371e1f34a25408fafcc8aca740a1a2ef724">59ef5371</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-19T06:40:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Turn multihost config problems into errors
The pytest multihost plugin skips tests, when there is a problem with a
test configuration. Configuration bugs like missing resources are not
considered a problem.
The IPA pytest multihost config object now turns FilterError into a
fatal error, so make_multihost_fixture() fails a test instead of
skipping.
Fixes: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d4732786210f824c87d614fac263361a33e4fbf9">d4732786</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-07-19T06:42:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add installer framework testing
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/530da69eadf5b73e4ca83252e3a370ed70354a39">530da69e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-19T13:44:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix KRA replica installation from CA master
ipa-replica-install --kra-install can fail when the topology already has
a KRA, but replica is installed from a master with just CA. In that
case, Custodia may pick a machine that doesn't have the KRA auditing and
signing certs in its NSSDB.
Example:
* master with CA
* replica1 with CA and KRA
* new replica gets installed from master
The replica installer now always picks a KRA peer.
The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install
Fixes: https://pagure.io/freeipa/issue/7518
See: https://pagure.io/freeipa/issue/7008
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f84b3f39edb880183722f4814acc56ae1f8edba7">f84b3f39</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-19T15:27:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.7.0
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc5370fb57b5c79a82cfb2b4abf2ceaf99bca00a">dc5370fb</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-19T16:54:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">VERSION.m4: Set back to git snapshot
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/28573111ad9f0ecc096f33526a7a39b70625ae40">28573111</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-07-23T19:02:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set zanata branch to ipa-4-7
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2438c3311619336a332196f5e53dfa739fc0b29f">2438c331</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-07-25T08:05:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: change indentation of freeipa/_base/debug.js
Change to use spaces for indentation as it was the the only file
which uses tabs and not spaces.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84e48df90500a17f35980a2990497d5596c7fbed">84e48df9</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-07-25T08:05:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: remove mixed indentation in App and LoginScreen
Only spaces should be used for indentation.
It was introduced in commits:
* 7f9f59bae2a362ce945c49ad8342393b7a5c024f
* 5d8fde0ac1a43c8f3dbc53b44d69f3663a8b36fb
Related to: https://pagure.io/freeipa/issue/7559
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8699fb735604661b8a31923c5890356d78497dda">8699fb73</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-07-25T18:04:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add check for occuring traceback during uninstallation ipa master
Modified master uninstall task for traceback check
That approach give us wide coverage and multiple scenarious
to catch traceback during uninstallation process
Add verbose option to uninstall server and set to False
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1480502
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/52fa23c0db842f684cb3b0a090561f128fcc667e">52fa23c0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-31T11:40:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add convenient template for temp commits
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e44af22729b07069199a30aa8a597a8bf47fb423">e44af227</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-07-31T11:40:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix topology configuration of nightly runs
Some nightly runs didn't have enough resources configured.
See: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/43dde143a7af775312f748e15117050b0e291467">43dde143</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-07-31T11:40:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Making nigthly test definition editable by FreeIPA's contributors
Now the test definition of nightly tests will be on freeipa repo. The
definition that's used on every PR (previously as .freeipa-pr-ci.yaml)
is in ipatests/prci_definitions/gating and the .freeipa-pr-ci.yaml file
is just a symlink to the real file.
In the same dir there is also nightly_master and nightly_rawhide, both
to be used in nightly tests.
Divided test_topology.py into 3 subtests.
Bumped vagrant template to version 0.1.6
This PR is the result of discussion on freeipa-devel mailing list [1].
[1] https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/4VAWJ4SFKKBFFICDLQCTXJWRRQHIYJLL/
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dc5df243f098605ff17b0400283668a14c28e97c">dc5df243</a></strong>
<div>
<span>by Orion Poplawski</span>
<i>at 2018-07-31T11:44:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaclient-install: chmod needs octal permissions
Fixes incorrect usage introduced in 792adebfabb456d154164387fb7e60acb30f4325
https://pagure.io/freeipa/issue/7650
Signed-off-by: Orion Poplawski <orion@nwra.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/39c6d2a4f5a03e0cf643fbd594785ef6856c8313">39c6d2a4</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-07-31T11:46:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)
The second argument was not used, but the first one was used twice.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e0a8a296be680f2a6593e81084d66828c08e4dad">e0a8a296</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-03T09:37:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.
Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b7db3ec53e8ac7f7351285b038530bb27e2d3c67">b7db3ec5</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-08-03T14:27:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
In the case that enabledService is not found ipaConfigString kdc entry, a
NotFound error was raised without setting the reason. This resulted in a
traceback.
Fixes: https://pagure.io/freeipa/issue/7652
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9cc49cdadd10f0f2d49796ce6303b99b3dcbfb0b">9cc49cda</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-08-06T14:48:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci_definitions: fix wrong indentation in the nightly yaml
TestLineTopologyWithoutCA definition has wrong indentation.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/890d773902d36aac376edba52f5090d75d683d0f">890d7739</a></strong>
<div>
<span>by Thierry Bordaz</span>
<i>at 2018-08-06T14:50:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7d40c66ea8074015f97841dcead92c158d6cf3c9">7d40c66e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-07T12:55:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: add integration test for password changes by dir mgr
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd
Related to:
https://pagure.io/freeipa/issue/7601
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/efd85b74837ddeb77706ed27de4261cd87528403">efd85b74</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-08-07T14:27:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
The session directory /etc/httpd/alias/ could be created with the wrong
SELinux context. Therefore httpd was not able to write to this directory.
Fixes: https://pagure.io/freeipa/issue/7662
Related-to: 49b4a057f1b0459331bcec2c8d760627d00e4571 (Create missing
/etc/httpd/alias for ipasession.key)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/54d41564445e6b07cdc1dd23784cdb42591ff537">54d41564</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-08-07T14:27:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X
The template directory /var/log/dirsrv/slapd-X could be created with the
wrong SELinux context.
Related to: https://pagure.io/freeipa/issue/7662
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4c089836d8f6170472ab850031a2c200abcceb15">4c089836</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-09T07:33:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PRCI: extend timeouts for gating
Some tests have been identified as frequently failing on timeouts. While
we are investigating PRCI potential issues, increase the timeouts to
make PRCI usable. The rule is to add 30min if the test involves CA/KRA
installation or 20min otherwise for the most problematic tests.
test_forced_client_enrolment: from 1h to 1h20
test_vault: from 1h15 to 1h45
external_ca_1: from 1h to 1h20
test_sudo: from 1h to 1h20
test_authconfig: from 1h to 1h20
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d6bdfe417a9867b1d4a3ada3f864777c11cc72bd">d6bdfe41</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-08-13T12:20:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_tests: test ssh keys login
Integration test for:
https://pagure.io/SSSD/sssd/issue/3747
IPA ticket: https://pagure.io/freeipa/issue/7664
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b6e5975408a74048f4a252e7a5244f20dc050ba3">b6e59754</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-08-13T13:28:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5e8bc96b2aca26878f98e8180ee21e94f06ae9f1">5e8bc96b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-08-13T14:57:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move fips_enabled to a common library to share across different plugins
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/04c5798d61d4c2275592b77467adc927f3a08b0d">04c5798d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-08-13T14:57:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipasam: do not use RC4 in FIPS mode
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4fa36abd745fd03e5d8fab2ce8a75234b9dc5713">4fa36abd</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-08-13T14:59:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace logo images with new one (version 4.7)
Resolves: https://pagure.io/freeipa/issue/7362
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1ef0bc2f3a2cff60df8d1bd53bb813ebfca313dc">1ef0bc2f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-15T07:05:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4e1bdff2ff3a0cd6fe88766ee00be4d107b81585">4e1bdff2</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-15T07:05:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of "sync_otp" plugin
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6bc7ae079e943ebfda66b74ff4611fc6203d560b">6bc7ae07</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-15T07:05:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of "SyncOTPScreen" widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/208ae7aa028d8a7938486eedfd1b13e88db9efef">208ae7aa</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-08-15T12:19:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Convert members into types in sudorule-*-option
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6daf4dad5149290dc9253803deb22b78a62fad67">6daf4dad</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-08-16T12:46:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Re-open the ldif file to prevent error message
There was an issue with ipa-server-upgrade and it was
showing an error while upgrading:
DN... does not exists or haven't been updated, caused
by not moving pointer to file begining when re-reading.
Resolves: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/421e61cf1b8e21ca58e6f96857436412638f8287">421e61cf</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-08-16T12:46:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add assert to check output of upgrade
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d5cc29d33e18e36f95d875ce4154d00e154db5b">9d5cc29d</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-08-21T12:31:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check if user permssions and umask 0022 is set when executing ipa-restore
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/85e18f8bc4dbc7b37ac8f26f4838a537178c8ef9">85e18f8b</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-08-22T08:58:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace old login screen logo with new one
Related: https://pagure.io/freeipa/issue/7362
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b6f3996803c09123349735a98a79f16f18ec9204">b6f39968</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-08-23T10:05:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test: client uninstall fails when installed using non-existing hostname
https://pagure.io/freeipa/issue/7620
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/04845bad8448567f68f2fc4b38ac1b9487732006">04845bad</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-08-23T11:40:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Honor no-host-dns when creating client host in replica install
--no-host-dns is supposed to avoid all DNS lookups so pass
this as the force value when creating the host in a replica
installation.
https://pagure.io/freeipa/issue/7656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cab3016e688a581b5cf56a06f7f13bc40ceb9f4f">cab3016e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-23T11:57:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">uninstall -v: remove Tracebacks
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Fixes: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d2549d17704a430a344303c8de7c423e92f9d7f">2d2549d1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-23T11:57:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipautil.run: add test for runas parameter
Add a test for ipautil.run() method called with runas parameter.
The test is using ipautil.run() to execute /usr/bin/id and
checks that the uid/gid are consistent with the runas parameter.
Note that the test needs to be launched by the root user
(non-privileged user may not have the rights to execute ipautil.run()
with runas parameter).
Related to: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9f2d8f5b587dd6e63f464dcf696bb3b5f3af2c56">9f2d8f5b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-23T12:00:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa commands: print 'IPA is not configured' when ipa is not setup
Some commands print tracebacks or unclear error message when
they are called on a machine where ipa packages are installed but
IPA is not configured.
Consistently report 'IPA is not configured on this system' in this
case.
Related to https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8cf6b6ea095e4270b0a7c3fa56b8018e05e9045b">8cf6b6ea</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-23T12:00:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test: test ipa-* commands when IPA is not configured
Add a test checking that ipa-* commands properly display
'IPA is not configured on this system' when called on a
system without IPA.
Related to: https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/32c52db632eb63522539499a906c8ae169d12b7a">32c52db6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-24T10:15:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Detect and prefer platform Python
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a29418ea68e66b719ecf7a0b018ff70a9e30b1d8">a29418ea</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-24T10:15:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Rename Python scripts and add dynamic shebang
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/85dd29f1481d02170e713e9e5b1f35e0d307da98">85dd29f1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-24T10:15:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Generate scripts from templates
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/30443d1dadc3f1109acec8ba689cfeb554400c8b">30443d1d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-08-27T07:54:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DS replication settings: fix regression with <3.3 master
Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2ad274289271a93f501657e996e044f8bb90c6eb">2ad27428</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add MigrateScreen widget
This widget is intended to integrate password migrate page into the
entire IPA Web framework. The functionality is the same as mentioned
standalone "ipa/migration/index.html".
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53e4e34ac423bd2474d55205719396cde116a2fe">53e4e34a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add "migrate" Web UI plugin
This plugin creates and registers a facet with password migrate page.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ad7f26c5f07e3624a283a99d300716036e6d9e1f">ad7f26c5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return the result of "password migration" procedure
So far "migration" end point redirected to "error"/"invalid" page as
a result of the client request. To use ajax requests and to not
reload/load the whole page the response should include the result of
request.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d05f678b385cbaa988c031024b16e47d7a87ebcb">d05f678b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Integrate "migration" page to IPA Web framework.
To use all advantages of entire Web framework the "migration" page
should use "migrate" plugin. As well this allows to use IPA
translations.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cc1c5aada60b5e66b741a927ec18907e4206e56c">cc1c5aad</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide translatable messages for MigrateScreen widget
Translatable messages should be marked with @i18n. Also
these messages should be presented in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/92a23477d687fed1a61c341ccea67e5dab4daee4">92a23477</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clean up migration "error" and "invalid" pages from project
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/382472dc2a5c4e3dd608b0d58ee1534d92f449d5">382472dc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add basic tests for "migration" end point
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/533067e3e937615e5f48d9621a42a06711d8f66f">533067e3</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-08-28T07:03:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: redable color of invalid fields on login-screen-like pages
Pages with widgets like LoginScreen, MigrateScreen use login-pf styling.
This page has dark background instead of light. Thus styling for labels
for fields with error has color which makes the label hard to read or
almost invisible.
Change it to white so it is still readable.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/660f90b263174a0e3c39bc3644b2ab17f814ac4b">660f90b2</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2018-08-28T07:05:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test if WSGI worker process count is set to 4
related ticket : https://pagure.io/freeipa/issue/7587
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/15ce6c819e239eb58749a7c96a16984103c18675">15ce6c81</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-08-28T12:06:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not set ca_host when --setup-ca is used
Setting ca_host caused replication failures on DL0
because it was trying to connect to wrong CA host.
Trying to avoid corner-case in ipaserver/plugins/dogtag.py
when api.env.host nor api.env.ca_host had not CA configured
and there was ca_host set to api.env.ca_host variable.
See: https://pagure.io/freeipa/issue/7566
Resolves: https://pagure.io/freeipa/issue/7629
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e65f20378d1786039e6b1c64fbfc4b1957093d3">9e65f203</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T13:51:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix "get_key_index" to fit caller's expectations
The clients of "get_key_index" expect index of key in matching case
otherwise -1. But instead of this function returns the "undefined"
value.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8b8dbaabc340d1b205293b94145844470fb28055">8b8dbaab</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-28T13:51:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reindex 'key_indicies' after item delete
The "keys.splice(i, 1)" removes one item at the specified position
from an array. Thus hashes which are stored at "that._key_indicies"
are no longer valid and should be reindexed.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c7771f2e64fcbba2548bd86a7d9ca11e212cd50">1c7771f2</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-08-29T11:53:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Retrieve certificate subject base directly instead of ipa-join
The subject base is used as a fallback to find the available
CA certificates during client enrollment if the LDAP connection
fails (e.g. due to new client connecting to very old server) and
for constructing the subject if a certificate is requested.
raw=True is passed to config-show in order to avoid parsing
the server roles which will fail because the services aren't
marked as enabled until after the client installation is
successful on a master.
ipa-join providing the subject base via stderr was fragile and
would cause client enrollment to fail if any other output was
included in stderr.
https://pagure.io/freeipa/issue/7674
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bf66c85a5e6da40872fb52546108b4ca21b87030">bf66c85a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-30T15:42:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactor os-release and platform information
Move the /etc/os-release parser and platform detection code out of the
private _importhook module. The ipaplatform module now contains an
osinfo module that provides distribution, os, and vendor information.
See: https://www.freedesktop.org/software/systemd/man/os-release.html
See: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0519c5b42e574d875f585c70ce4a88423f44e521">0519c5b4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-08-30T15:42:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't check for systemd service
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.
This fixes a SELinux violation that prevented httpd from listing systemd
service files.
Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/88d2156925695458317c085a93d8b36b91003ed8">88d21569</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-08-31T12:58:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add "389-ds-base-legacy-tools" to requires.
"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2dae9e28b3b508f43af293ae8602f9208ed3c4e0">2dae9e28</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-09-03T07:11:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Related https://pagure.io/freeipa/issue/7262
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/56ec7c8c2cca40c71b7129ab07aa5bac64239133">56ec7c8c</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-09-03T07:11:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add cmocka unit tests for ipa otpd queue code
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/de4eca78f29a6b4b73f9bc9824eead00112368cb">de4eca78</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-09-03T13:04:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump PRCI template version to 0.1.8
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a66789603a30b9582d9255a02edfbf66d90ae78d">a6678960</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-03T13:05:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-install: do not perform forwarder validation with --no-dnssec-validation
ipa-server-install is checking if the forwarder(s) specified with
--forwarder argument support DNSSEC. When the --no-dnssec-validation
option is added, the installer should not perform the check.
Fixes: https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ac7b3f989e86ac0ff216b9b0c07ab2f1a0d571a1">ac7b3f98</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-03T13:05:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add test for server install with --no-dnssec-validation
Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.
Related to https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f611e5ac06441615e8f3414bc4bc330d3c2732f9">f611e5ac</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-05T12:24:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug
New autoreconf -ivf call before configure
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc32cbb686c9d6c40607ddc48342403c7ed7bd4a">fc32cbb6</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-09-05T17:41:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Delete empty keytab during client installation
Client installation fails if '/etc/krb5.keytab' exists as a zero-length
file. Deleting empty keytab before proceeding with the installation
fixes the problem.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5b1dce59ee99a359faa5020a0ff58734c1b0d28b">5b1dce59</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-06T12:21:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix render validation items on keypress event at login form
There are many no needed render callings which are performed
on each keypress event at login form. It is enough to update
validation items on "CapsLock" state change.
Fixes: https://pagure.io/freeipa/issue/7679
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/09c78a1e07056eea1036d974bcdfd8c00a254733">09c78a1e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-06T12:23:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-install: fix pkinit setup
commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.
The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.
Fixes: https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5ea8f8ae9d250b86d66d20df95293a71dc40eb46">5ea8f8ae</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-06T12:23:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: test successful PKINIT install on replica
Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica
Related to https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ef865651f12165fd7d24f5d56dbce09949f6b452">ef865651</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-09-06T19:21:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix certificate type error when exporting to file
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca638310913ab6b0c239374f4b0ddeeedeb3.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e9b05971749bcbfc927eab4f50ab3974cd9a2861">e9b05971</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2018-09-06T19:30:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test for client installation with empty keytab file
Missing test case for cf1301fb064fc230c780c4bc5eeccb723899f7b6.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e09a3e8ab456f258eef25fe936656b49f15a79e9">e09a3e8a</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-07T08:26:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-install: properly use the file store
In ipa-replica-install, many components use their own instance
of the FileStore to backup configuration files to the pre-install
state. This causes issues when the calls are mixed, like for
instance:
ds.do_task1_that_backups_file (using ds.filestore)
http.do_task2_that_backups_file (using http.filestore)
ds.do_task3_that_backups_file (using ds.filestore)
because the list of files managed by ds.filestore does not include
the files managed by http.filestore, and the 3rd call would remove
any file added on 2nd call.
The symptom of this bug is that ipa-replica-install does not save
/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not
restore the file, leading to a line referring to ipa-rewrite.conf
that prevents httpd startup.
The installer should consistently use the same filestore.
Fixes https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cca3531e6ae425121611a862855adfab532989cd">cca3531e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-07T08:26:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test: scenario replica install/uninstall should restore ssl.conf
Test that the scenario ipa-replica-install/ uninstall correctly
restores the file /etc/httpd/conf.d/ssl.conf
Related to https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/965aecf21ef9eefc4eed5b50523e3f853cc35111">965aecf2</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-09-07T12:22:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: sssd_ssh fd leaks when user cert converted into SSH key
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1d8f3b9b4722b3757ec5c96e25d391e4a6e400c9">1d8f3b9b</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-09-07T12:22:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">add strip_cert_header() to tasks.py
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d414c340f2d92a407772ca9b715b7f7f6a49e006">d414c340</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:11:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of "unauthorized.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5404be8ca3960572fd39ea5872121c2289b81612">5404be8c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:11:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translation of "ssbrowser.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68b4824bf88270731ec9e7680f8316481446b646">68b4824b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:11:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add basic tests to web pages which are located at /ipa/config/
The goal of these tests is to ensure that the translated text is
synced against a 'noscript' one.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c8ba1d79a11bd8f0be61817c082fb5351e02dd0">7c8ba1d7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ce15361a41ca3b544260e5a828254e0241f3b85e">ce15361a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add "reset_and_login" view to LoginScreen widget
Previous "reset" view is splitted to "reset" and "reset_and_login"
ones. "reset" is used to render "just reset password" logic. And
"reset_and_login" - "reset password and then log in".
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8da9935e980431538083a282db8d104b1475b416">8da9935e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use "login" plugin instead of standalone JS file
Plugin "login" already has the same functionality as a JS code in
separated javascript file. There is no need to duplicate it.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/18c878ea12393a9108c4ccf3af6ed021bdc656ec">18c878ea</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clean up reset_password.js file from project
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b7290e4533ca8f2ee687d7bf10c1a63216d70ac2">b7290e45</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix translations of messages in LoginScreen widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/86f98e546bff76636066a49d8e4405bf733bed0c">86f98e54</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add "bounce" logic from "reset_password.js"
This should add support for https://pagure.io/freeipa/issue/4440
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e24b1f62d1204af5af913562a5ae714247ce8917">e24b1f62</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-12T11:48:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for LoginScreen widget
Add some basic tests for different aspects of LoginScreen such as
'login', 'reset_and_login', 'reset' views.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/56bfd49d90b99b44afef4578a24adb68c9514725">56bfd49d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-09-12T13:17:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update required version of dogtag to detect when FIPS is available
When it was checking for FIPS it assumed that /proc/sys/crypto
existed which it doesn't in some containers and on Ubuntu.
This was updated in dogtag, this change is just to pull in the
fix.
https://pagure.io/freeipa/issue/7608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5cbb0f3d18276f6975123099c8508065d68d5533">5cbb0f3d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-09-12T20:37:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Advise plugin for enabling sudo for members of the admins group
Create HBAC and a sudo rule for allowing members of the admins
group to run sudo on all enrolled hosts.
https://pagure.io/freeipa/issue/7538
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7ce495048d2de59042e1b61b8a56ca04f6b2dca9">7ce49504</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-19T12:01:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">authselect: harden uninstallation of ipa client
When ipa client is uninstalled, the content of sysrestore.state
is read to restore the previous authselect profile and features.
The code should properly handle the case where sysrestore.state
contains the header for the authselect section, but the key=value
for profile and features are missing.
Fixes https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4f323bc20f5e5df828dc6e8efb670248df57d9b8">4f323bc2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-19T12:01:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add test for uninstall with incomplete sysrestore.state
Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.
Related to https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/446c6c896b58fa4ea1d1cee2ea8bf5390be29894">446c6c89</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-19T12:18:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect
instead of authconfig, but authselect enable-feature with-smartcard
does not set pam_cert_auth=True in /etc/sssd/sssd.conf.
As a result, smart card auth on a client fails.
The fix adds a step in ipa-advise to configure pam_cert_auth=True.
The fix also forces the use of python3 interpreter, and handles
newer versions of SSSD which use OpenSSL instead of NSS (the trusted
CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem
Fixes https://pagure.io/freeipa/issue/7532
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba2ec0697edef90fbb8cc53d8fee805f85bb9b10">ba2ec069</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix hardcoded CSR in test_webui/test_cert.py
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/62bbc8e3234038fa6a7e097d9f6d7e3a7ad8a16e">62bbc8e3</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use random IPs and domains in test_webui/test_host.py
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d0dc6197d1924211e07f1c630385cd2793413134">d0dc6197</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase request timeout for WebUI tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ed15e44168cd4c13bdb988c31d7a8376016e414c">ed15e441</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/338dd256d02c1c4c3afd14dc287d15b47f6a3445">338dd256</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use random realmdomains in test_webui/test_realmdomains.py
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e075b12b7c1165497da0ada423d4ec46381f1531">e075b12b</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix test_user::test_login_without_username (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ef0549ef0ca3c11347819e1d8530eef65856fb7e">ef0549ef</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix unpermitted user session in test_selfservice (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a70cfcade75efe8c94182bbb5b80f08e4b96db5e">a70cfcad</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SAN extension for CSR generation in test_cert (Web UI tests)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ba7405b12a029d35a49a47d5b02b176b68e6fd05">ba7405b1</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Generate CSR for test_host::test_certificates (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/27a23a49c432866313405bf30bef54048967dbd7">27a23a49</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add cookies clearing for all Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0740b0485ff2d25eb02f29339833960ef4fd24ac">0740b048</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unnecessary session clearing in some Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8a08abbdda83b4611e403c541a5075bdc75099a1">8a08abbd</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase some timeouts in Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/eb117622265d185e319be2767b2d6edda5a2dce2">eb117622</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix UI_driver.has_class exception. Handle situation when element has no class attribute
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e73a44e829ae49797b3cc8c8a59e1c9c5823591a">e73a44e8</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2018-09-19T14:03:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change Web UI tests setup flow
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3b226d8b90d032a46809cfb0d045f62940805e86">3b226d8b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-09-20T06:53:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.
Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.
https://pagure.io/freeipa/issue/7528
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1d54726c59c8f0c7a116983c2a6d8d2d87d9276c">1d54726c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-09-21T13:25:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix uninstallation test, use different method to stop dirsrv
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9726372c39ea5699e2971b906f62f8316254e5f0">9726372c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-09-21T13:25:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add uninstallation tests to night master and rawhide
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/83a8fad019789bd939135e97390d767614efc6bf">83a8fad0</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not install ipa-replica-prepare
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/416b3f179f6c9cadabf9005fb409c0b66f3471f4">416b3f17</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1
With increasing the minimal domain level to 1 ipa-replica-install will
refuse to install if the domain has domain level 0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0b81aeb80359f8ff2cb15f5be4e982072f6263af">0b81aeb8</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark replica_file option as deprecated
The replica_file option is only supported for DL0. The option will be
marked deprecated for now.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aafd2dbe47dc695efccafbcc799f912039aa56de">aafd2dbe</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Raise error if DL is set to 0 or DL0 options are used
In the case that the domain level is set to 0 or replica_file is set (not
None) an error will be raised.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9001cfabd4e02f6d99c5f9d9a6eaec5307621fa1">9001cfab</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove support for replica_file option from ipa-ca-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/800c8c5904344335f49ce101170c6e366dcb1a1b">800c8c59</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove support for replica_file option from ipa-kra-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/67bbc9bd1f794b224f8e5592865ece82b8ec2d1f">67bbc9bd</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific sections from ipa-replica-install man page
Remove replica_file option and all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1"
prefixes and also sections specific to DL0 form the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b4a37c5aaa7e0714f4b9c598fa46fa5af6e2cbef">b4a37c5a</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove "at DL1" from ipa-replica-manage man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f7516be12bcac377f152536e75a79d36243d3123">f7516be1</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove "at DL1" from ipa-server-install man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a3e179bd76c1431a2f0d3a12dd33a74424a834b2">a3e179bd</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move DL0 raises outside if existing conditionals to calm down pylint
This pull should not remove code, therefore it is needed to add addtional
conditionals to calm down pylint beacuse of unreachable code.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a442040085883567b0ac5a48d8e7d5cc116170ab">a4420400</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Drop test_password_option_DL0
DL0 is not supported anymore therefore this test is failing.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c4982dcc1d7f9b28f3645f32926d48e9ed2865b6">c4982dcc</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import
This is not needed anymore due to the removal of the DL0 test
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2c393ab641ee96892093e3a5952828827077e76e">2c393ab6</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum
As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should
be used instead of DOMAIN_LEVEL_0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d8cb4260a88944e15784b177ef10de2e2f375f02">d8cb4260</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ddacf9eb1ae4ca3ad13ed6a9783a341c4ca4fef3">ddacf9eb</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-24T06:25:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replicainstall: Make sure that domain fulfills minimal domain level requirement
The old domain level check to suggest to use ipa-replica-prepare has been
converted to make sure that domain fulfills minimal domain level
requirement (no DL0).
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9564fff62301ac11ef577382c19e0fcfd08fae21">9564fff6</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-24T10:53:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: mark known failures as xfail
The tests in test_integration/test_installation.py
that inherit from InstallTestBase2 all fail in
test_replica2_ipa_kra_install because of ticket
7654: ipa-kra-install fails on DL1
This is an issue linked to dogtag (see
https://pagure.io/dogtagpki/issue/3055), where the
installation of a KRA clone creates a range depletion
when multiple clones are created from the same master.
Marking the tests as known failure, waiting for dogtag's
fix.
Related to https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/804480c29f9b040d1d781f9b5af09e894fdaf4e8">804480c2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-25T13:19:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: remove dl0 tests from nightly definition
Commit fca1167af48651c3454c33c77ef28ec333220040 removed the following tests
from ipatests/test_integration/test_replica_promotion.py:
TestReplicaPromotionLevel0
TestKRAInstall
TestCAInstall
TestReplicaManageCommands
TestOldReplicaWorksAfterDomainUpgrade
but the nightly definition was not updated accordingly.
The fix removes the unexisting tests from nightly.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6dd586c77301c12732d74dfcf416622114b875c3">6dd586c7</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable DL0 specific tests
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/93502c9dda5ff6192a601680c1334c940375dbb8">93502c9d</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove ipa-replica-prepare script and man page
This is part of the DL0 code removal. As ipa-replica-prepare is only needed
and useful for domain level 0, the script can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9dcf1dc64ac51b41c0509b99127aefc6c4de5952">9dcf1dc6</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from ipa-ca-install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed. An additional check for the new minimal
domain level has been added.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/30d0fc07e6251b8c2b05204e8d7acc9886178132">30d0fc07</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from cainstance and ca in ipaserver/install
cainstance.replica_ca_install_check is only used in ca.install_check if
replica_config is not None (replica installation). As it is immediately
stopped if promote is not set, therefore it can be removed.
The check for cafile in ca.install_check has been dropped. promote is set
to True in ca.install_step_0 if replica_config is not None for
cainstance.configure_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ff75a9f7583412aee6a5af7395f4344cea1db63d">ff75a9f7</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from ipa_kra_install in ipaserver/install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed An additional check for the new minimal
domain level has been added. The use of extra args results in an error as
this was only needed for the replica file.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/474acad4c20332436f0bde0fb490ea73f533a8f3">474acad4</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from dsinstance ipaserver/install
Promote is now hard set to True in create_replica for later use in
_get_replication_manager.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/232643156df76885a26d41274306591684514b90">23264315</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from kra in ipaserver/install
The code to add missing KRA certificates has been removed from install_check
as it was only reached if replica_config is not None and promote was False
for DL0 replica installations. Also the other places.
Promote is now hard set to True if replica_config is not None in install
for later use in krainstance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fe6258732e82c7eaa9ac4c9d8203a571b74d4af4">fe625873</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unused promote arg in krbinstance.create_replica in ipaserver/install
The argument was not used at all.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c959134da502d5f43be9e3f9698b7911af9ae2f">3c959134</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from ipa_replica_install in ipaserver/install
Replica files are DL0 specific therefore the knob extension for
replica_file has been removed. Also the code that is only executed if
replica_file is not None.
The new variable replica_install has been added which is used in
ServerInstallInterface.__init__
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7e17d73b76eb38b5db9d186dec03cf750e67310a">7e17d73b</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from __init__ in ipaserver/install/server
The methods _is_promote has been removed from all classes as this has only
been used internally to check if the domain level is correct.
The check if the installer object has the attribute replica_file has been
modified to use the new variable replica_install defined in
CompatServerReplicaInstall instead.
The DL0 specific code from ServerInstallInterface.__init__ has been removed
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bacef44632ff056538fa8977e41f0a4bb6fc23b6">bacef446</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from replicainstall in ipaserver/install/server
create_replica_config is not imported anymore from
ipaserver.install.installutils.
The promote argument has been removed from these functions and function
calls:
- install_replica_ds
- ds.create_replica
- install_krb
- krbinstance.create_replica
- install_http
- httpinstance.create_instance
The function install_check has been removed completely as it is only used
to prepare the DL0 installation.
All DL0 specific code has been removed from the install function.
The varaibles promote, installer.promote/options.promote and config.promote
have bene removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7e7dfcd415cc265877ac8ea9390e3fb8e791caf5">7e7dfcd4</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove create_replica_config from installutils in ipaserver/install
This function is used to load the replica file. Without DL0 support this
is not needed at all anymore.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc62c73568d8fe517dd66344b92f030a855f8931">fc62c735</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from custodiainstance in ipaserver/install
iWithout DL0 support the custodia mode can be used to determine if a
server or replica will be installed. Therefore the use of config.promote
can be removed.
A new check has been added to make sure the mode known in
get_custodia_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/31cdb978032a7e13a5669d7ce96c0d80c05da84a">31cdb978</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER
This is related to the DL0 code removal. FIRST_MASTER describes this
mode a lot better.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e0a07717e91118035c714088f754af09901479b7">e0a07717</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove options.promote from install in ipaserver/install/server/install
There is no need to set options.promote to false anymore for a server
installation in the install function.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8eefa92be4d7d1c0e5c29ce952173a3505489ca8">8eefa92b</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove replica_file from ClientInstall class in ipaclient/install/client.py
There is no need to set replica_file to None for client installations.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84204473171d279acf9a34a0a2eed9c1a0778e5e">84204473</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove replica_file knob from ipalib/install/service.py
The replica_file option is not needed anymore. Threfore the option can
be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6ee7c437e18b70b29ffcbcdef4f384492e4485ce">6ee7c437</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py
These tests have been skipped already before. Therefore they can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ec993c9082cbd685c3768ff6818f2547a999e05a">ec993c90</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py
The functions get_replica_filename and replica_prepare are not needed anymore
with the DL0 removal. The DL0 specific code has been removed from the
functions install_replica, install_kra and install_ca.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7b2487fbec1c799d70b770e5f9ef1dbaf13bbee">a7b2487f</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2018-09-26T09:42:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove DL0 specific code from ipatests/test_integration/test_caless.py
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c6b957ffc127942a14e05933792e9729f766b69">1c6b957f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-09-26T12:19:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support Samba 4.9
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.
Add a default mapping of the nobody group to BUILTIN\Guests.
BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.
For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.
This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.
Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d0c503e534143c56f9b3d0036cfdf720f3962802">d0c503e5</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-09-26T12:20:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-upgrade: fix inconsistency in setup_lightweight_ca_key_retrieval
The method setup_lightweight_ca_key_retrieval is called on
server upgrade and checks first if it needs to be executed or if
a previous upgrade already did the required steps.
The issue is that it looks for setup_lwca_key_retrieval in sysupgrade.state
but writes setup_lwca_key_retieval (with a missing r).
The fix consistently uses setup_lwca_key_retieval (as older installations
may already contain this key in sysupgrade.state).
Fixes https://pagure.io/freeipa/issue/7688
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/35d3b573ad87968be83f1fad1961af0ea707849b">35d3b573</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-26T14:04:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix loading 'freeipa/text' at production mode
As for now 'ssbrowser.html' and 'unauthorized.html' pages are
loaded without JS error at development mode only.
There is no standalone 'freeipa/text' module as source at
production mode. Thus 'core' one have to be loaded first and
then 'text'.
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/85a54ef83a9461d89080d2cadf04fda2cc2ca1da">85a54ef8</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-09-27T07:17:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Workaround for pyasn1 0.4
pyasn1 0.4 changed handling of ANY containers in a backwards
incompatible way. For 0.3.x, keep explicit wrap and unwrap in octet
strings for ANY container members. For >= 0.4, let pyasn1 do the job.
This patch also makes sorting of extended_key_usage_bytes() stable and
adds tests.
Tested with pyasn1 0.3.7 and 0.4.4.
Fixes: https://pagure.io/freeipa/issue/7685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/eaf58bb63678dac05eb9733441327567309dfe00">eaf58bb6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-09-27T09:50:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5a25dc5375c20f961ef6006f39070fddb3a11908">5a25dc53</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-09-27T14:57:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require sssd-ipa instead of sssd meta pkg
The sssd meta package pulls in additional dependencies that are not
required by IPA clients. Only depend on sssd-ipa.
Also update SSSD to 1.16.3-2 with fixes with support for One-Way Trust
authenticated by trust secret.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1345975
See: https://pagure.io/freeipa/issue/7710
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/850eea357b49d7c140107cf5908579e0c7503d6d">850eea35</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of remove dialog
As for now the default title of remove dialogs is set to
'Remove ${entity}', where 'entity' is also translatable text.
This construction is used via method 'create_remove_dialog'
of Search facet for the all association 'Delete' actions of
entities.
The such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/72e97f2e24b0065feb998412fd6f73ae0d17cb90">72e97f2e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Users' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b8af0b3287e32042c31e2c335b003b364ea7fd6f">b8af0b32</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Hosts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4357ac540a6261ad50960306d1f2a5debdb8e6ba">4357ac54</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Services' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a1c3633ceb5314f9c5d5a120ad035d61783b743">6a1c3633</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Groups' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/abdcfeb7c31c86ef1a57d3490df93604f00d261b">abdcfeb7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'ID Views' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/19f194d617e4ebda3ec19aa0e582456d75a10da3">19f194d6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Automember' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2c45a745f871321eae37356a74113b2e7ddf70b4">2c45a745</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'HBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/46e3be4009442568945dfc3d3fa847c298deba0e">46e3be40</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Sudo' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6a8a9bcc1b47f402814e8041c351edbcd1ee38a2">6a8a9bcc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'SELinux User Maps' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ff7dc517d7582623f8287e21bc605c9c4c1bad1b">ff7dc517</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Password Policies' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d5eb7831400dedace78cf4544afff4b303b45117">d5eb7831</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Certificates' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b13d825e99b56c829fe2e58808f56f93a7f4b980">b13d825e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'OTP Tokens' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6461d9c3aa2bd35d16c63e0b34f5e47c788bdd9e">6461d9c3</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'RADIUS Servers' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/97fd70ee8d41fe82a30c2c820fe2b364be8dc86a">97fd70ee</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Certificate Identity Mapping Rules' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e7ff1982b6481930ef9fd4dc055b0bc2576fa9e6">e7ff1982</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Automount Locations' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e85373c1abd0a2bb454d859f7059c25215634ca">9e85373c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a06d410ec365c687ffaae18d2ed6d64e03909dbb">a06d410e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'RBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68a1279091b2a97f784c1691619fa227510c5dab">68a12790</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'ID Ranges' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/afbaea15dede0a4272b27407c814ac129e180a3f">afbaea15</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Topology' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ee9645202016c24bfc381c1fdee49852ffd1a4c2">ee964520</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'Trusts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d6d11bef46a197e2609319537473b7fa98f99017">d6d11bef</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cc3c38a72d2b1a87a0d3aa82d7f6a0ab42aba6b5">cc3c38a7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Users' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b64b0aa69402e9f237565d4e9620a71ced051897">b64b0aa6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/65427f9412f5b69cb9f22fd8b0cc3b6d94a0a135">65427f94</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dcf1803c961d7c00fddd7f87472dd674f8933baf">dcf1803c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6ec6dafa783870a076b44734a5fd70471f5c943c">6ec6dafa</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/865bbea73e12d312a1a1f33fbb3e638664a49e33">865bbea7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/20d9b21fa11a1533d122a1e3d186fe6140f26c37">20d9b21f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/881a67395be0ea90f8e2c7592f5d787df39de16e">881a6739</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1785168ab7b0947ac1d319f97cfaeca7c768967e">1785168a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a title to 'remove' dialog for details of 'Trusts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f72aa37e363dc50090e82a54304daa921de11240">f72aa37e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association_table' facet, is set to something
like 'Remove ${other_entity} from ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association_table' widget for the all 'Delete' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6e8c6a4e79cabef8c54b275b30541a3beb1eb512">6e8c6a4e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'remove' dialog for 'association_table' widget of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/db5e0f8029a7e225246724f56f11049dd0338012">db5e0f80</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'remove' dialog for 'association_table' widget of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f0f2f44325c8558b05d6e3a701d6aa4cd41ec954">f0f2f443</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'remove' dialog for 'association_table' widget of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cdc605f14e55c70ea1740b3bde3e83e0a032f086">cdc605f1</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow having a custom title of 'Remove' dialog for 'attribute_table' widget
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/31f5db2873e1e673d65b532953663f3a1b3f46bc">31f5db28</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'Automember' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/14acf96e66d71a16a8189d02dbdc7d2d5f5fe73c">14acf96e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b56ff7f4b947a1cd1a508f3a3e40e4a76e9e3dd6">b56ff7f4</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/14aa7bfd5e337aaef8bad90ffb8ce729f7facea6">14aa7bfd</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'SELinux' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/176ec4a8c30df4109ad927a37d86f6afdbbcd60a">176ec4a8</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'CA' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3890280e85f139ab8b2acc37a69494152266e645">3890280e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'Topology' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e4f6857f98d96f6432d9bbf0102074ed47b19bd">9e4f6857</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'Remove' dialog for 'association_table' widget of 'Vault' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/85a96ddcb8fa94939f19ee955994cd37aa3c02d5">85a96ddc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'unprovision' dialog
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9cccf6ae8fb96654046cba3e4df9dba22f5f00ef">9cccf6ae</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2bb4fc20dd191791f43170522f125fd3c8fae198">2bb4fc20</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix javascript 'errors' found by jslint
There are several JavaScript errors, which have come with PRs:
2362, 2371, 2372.
JavaScript code have to follow jsl requires.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/042cf811578f5a40d90fc1bceb779a1fe99c3565">042cf811</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-09-28T08:30:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add jslint check to PR CI tests
For now, from all possible lint checks, pylint applies only.
jslint can prevent JavaScript errors at WebUI.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3a97581a26a7b9a884591574042391f643813829">3a97581a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of 'add' dialog
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.
This leads to a bad quality translation and should be changed to
an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bf5b4db90927f7546676426ff7acef871467882b">bf5b4db9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Users' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6790151dd912e7a759130c6ecf434f14a2a2c472">6790151d</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'OTP' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ece3f75202330594760073a561dbd35c516b86c0">ece3f752</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Host' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/98f40993fa3f317bb6097ca0c23808d6468f26c5">98f40993</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Service' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8d922ebcc12850787b654c7328974fe5d9ad1952">8d922ebc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Groups' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4e6b7415a478c84ffe8b7f2dc37a8f96fd99bc2f">4e6b7415</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'ID Views' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/dd533aeb32b1264271d5b9b5fa43e3515a0c44be">dd533aeb</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of 'add' dialog for 'attribute_table' widget
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f5efeb149089edfed772c1b5c56ec2fa47824e7b">f5efeb14</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Automember' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/77666404b42d99c4b32f40ee3f9b69b04742b230">77666404</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'HBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/68f22cf67bbe9108d5c57f115c21e0f349fa11d4">68f22cf6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Sudo' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4ad486fe1127a2759aa9b66b23dfd963c6f6777f">4ad486fe</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'SELinux' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f72fa2e441a7a6d178b959939887bfbfcd85ede">0f72fa2e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Password Policies' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0c412db493426c18c2303f4b7aad6236cb6378a9">0c412db4</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Certificates' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7f6d6586ffba4a2f461fc5240362f3c1a382121a">7f6d6586</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'RADIUS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cb4a4bce993d613b4a69590b30d9532ba082fb39">cb4a4bce</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Certificate Identity' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d7c4bbefb88be10a763ec6f6fe45e0a0f4492525">d7c4bbef</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Automount' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/166f96a04d6081371b927f899e855a6c1a5f8c22">166f96a0</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'DNS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cc5194e5825c0188333e09d412991e2d93b4252a">cc5194e5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Vault' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/94ec285e041a9690d448899bd0710ecfb5236e57">94ec285e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'RBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e73483f4bf4562e4232b61ee092a2a0814b702d6">e73483f4</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'ID Ranges' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d5a4e630a22555e3b48151efc2a864c4931c3b9c">d5a4e630</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Trusts' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/bcf922369fe1a2a0321d988f18faaee053178417">bcf92236</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-01T09:34:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'Topology' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5c8f39ab11993941f370ae5956b41adf2d03537f">5c8f39ab</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-10-02T09:30:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option). This regression was introduced in the
'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3,
and reflected in the 'ca' plugin in commit
c7064494e5801d5fd4670e6aab1e07c65d7a0731.
The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field. Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.
Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).
Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d86d81901a26dd82e32c93f0c06106bd2d8509a8">d86d8190</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-10-02T14:06:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">When stripping PO files, sort the output
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/28cfb2b17472c4af577a57e3ccb5f1b678025e65">28cfb2b1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-10-02T14:06:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Re-sort translations before merging Zanata updates
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/35d4d81f5aa9763fc31505c3f07a9c871dacdf68">35d4d81f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-10-02T14:06:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update translations from Zanata ipa-4-7 branch
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/f2b9b7b5de92c46b8841560106080239f666d6b7">f2b9b7b5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of 'Add' dialog for details of entity
As for now the 'Add' dialog title, which is initialized within
details of the entity, contains translated concatenated texts,
like:
'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_add_dialog' of
association_facet for the all 'Add' actions within details
of entities.
The concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/db7197ac225071239ba6b9bfdaa46fee415ec869">db7197ac</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Certificate' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/989b895ad6168fe56015e128c2cf36c7059b409b">989b895a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Users' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d77d31df613f0408c0bc31b368592ce25e6308b">9d77d31d</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/085681fa25d93019e8af33b3e16bf5a2e79e05fd">085681fa</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Services' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d206975337fb4096dc35f428e77aba60de4082f2">d2069753</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Groups' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e7f1c7b51c01c70ead2a1497cac4d1f731ff3997">e7f1c7b5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'ID Views' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e0e434ca0df15b3b3ff3612dd8e6b5c946c98858">e0e434ca</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/665a1336225133c4a095237f3c4c01d5b7c0d2c6">665a1336</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/98662ec550efc4d588c05239299b04d5671bc5c0">98662ec5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7f482eeee0ac01df7b0c5f97ab451351edf411cd">7f482eee</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c8878104aa564d1a9de2c9cdc03da0f105b3ac00">c8878104</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop concatenated title of add dialog for association_table widget
As for now the default title of add dialogs, which are
initialized from 'association_table' widget, is set to something
like 'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'create_add_dialog' of
'association_table' widget for the all 'Add' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/eb506a3f7743a91b81105b6e17c4405e12306e0a">eb506a3f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Hosts entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2c6cde1c8dd0c3c60e6aa52083267772af2f587e">2c6cde1c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Services entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7aefa5b29b012704146acfab2ed110b40d789300">7aefa5b2</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Groups entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/172996ef197d5eec033f055bc0440514a7e0ed0b">172996ef</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of HBAC entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e14fe888b4709b627abcb4a1ff33f6adf05b23e2">e14fe888</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Sudo entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/cc643a52eb94f9aed666b20590ed0c800df2564c">cc643a52</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of SELinux User Maps entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3a4eec36025b18506877bf7fe5c1d3b9e74b5897">3a4eec36</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Certificates entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d52212850c2af645263818c01e58611ea05b23c8">d5221285</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Vaults entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8fa144417e679e01e0e5b53924e6d234ec35f665">8fa14441</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-10-03T11:14:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add title to 'add' dialog for 'association_table' widget of Topology entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7b50fe43a17aef50a7acfcca7874497dd0a03042">7b50fe43</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-10-05T15:37:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix zonemgr encoding issue
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.
This also fixes 'b' prefix in error messages like:
option zonemgr: b'empty DNS label'
Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a30659c40ae1fb80cce057f7876cc0b70184db59">a30659c4</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-10-05T17:43:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove TestReplicaManageDel (dl0)
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4b617ddba3102ab9aff1949fed999cd0387efdac">4b617ddb</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-10-05T17:45:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
(cherry picked from commit 753264069f29e47bf222e50e95a7ec5849a7f6cb)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7eddb981c4d0b2c333e52ad68f6f353556ba24e4">7eddb981</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-10-05T18:04:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.7.1
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#5d64d06edc9d8bbe57163be94e8577297e96e47f">
<span class="deleted-file">
−
.freeipa-pr-ci.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#5d64d06edc9d8bbe57163be94e8577297e96e47f">
<span class="new-file">
+
.freeipa-pr-ci.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#b9d1853a1785388cebd4dc3ba4a473c163eed9f5">
.test_runner_config.yaml
</a>
</li>
<li class="file-stats">
<a href="#90ddfe544cbcefffa3b76ad4cd9b1cebb4f4fafd">
.test_runner_config_py3_temp.yaml
</a>
</li>
<li class="file-stats">
<a href="#dea01dd89a3b602828e630677fde5d77c06441c8">
.travis.yml
</a>
</li>
<li class="file-stats">
<a href="#b0bdd6bd019961475f1feba50bf1618195b21467">
.travis_run_task.sh
</a>
</li>
<li class="file-stats">
<a href="#8a8f67e18c8ed61c36e2901c12e37c094f6cd519">
.wheelconstraints.in
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#2c5c5ed7d77485b627b5ba2e90b2f87baf64be55">
BUILD.txt
</a>
</li>
<li class="file-stats">
<a href="#0834ae016f8fea5cff771880c0be1d55299732ff">
<span class="new-file">
+
CODE_OF_CONDUCT.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#cb7aabd616315f2839dea6a9ea51cbc1dff56d3f">
<span class="new-file">
+
Makefile.pythonscripts.am
</span>
</a>
</li>
<li class="file-stats">
<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">
README.md
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#521b4492ed13326bcb633dcdd0e7a0b876d266aa">
client/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#59b1679bd17d94a5f79f755d64cc0cb80925510e">
client/ipa-certupdate
→
client/ipa-certupdate.in
</a>
</li>
<li class="file-stats">
<a href="#b8a939fe189eb1ff695cf44e6346cc7539f016ad">
client/ipa-client-automount
→
client/ipa-client-automount.in
</a>
</li>
<li class="file-stats">
<a href="#f617507a5a8a1eefd889e92b7f855b22861a232c">
client/ipa-client-install
→
client/ipa-client-install.in
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#e4eba71132ec40f9516ea0fa207f3b4601f7e665">
client/ipa-join.c
</a>
</li>
<li class="file-stats">
<a href="#26616f952ef398b6ae9eb7d8687721b05028074d">
client/man/default.conf.5
</a>
</li>
<li class="file-stats">
<a href="#8a35d0bcf77b8ab072d502e1bdbfe353a823c769">
client/man/ipa-client-automount.1
</a>
</li>
<li class="file-stats">
<a href="#24d08149069d49a01ad6ec82eec3333757be12bf">
client/man/ipa-client-install.1
</a>
</li>
<li class="file-stats">
<a href="#e5d2277e0d16da52a4ae8ec255fb546233366f49">
client/man/ipa-getkeytab.1
</a>
</li>
<li class="file-stats">
<a href="#2c2a403acbc45950144a2c61e3eaaa2b9e3fe8ed">
client/man/ipa.1
</a>
</li>
<li class="file-stats">
<a href="#dd969454de251db1435d9fd37e48469170f6ca94">
<span class="new-file">
+
client/share/Makefile.am
</span>
</a>
</li>
<li class="file-stats">
<a href="#80997de215f44f16bea2a6c42461888701290524">
<span class="new-file">
+
client/share/freeipa.template
</span>
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/compare/17b64497d3e44605201d107ace2e4bfd4c1e9f36...7eddb981c4d0b2c333e52ad68f6f353556ba24e4">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>